Work environment
- FortiGate-VM
- version 7.0.5
Port forwarding example [Destination NAPT]
As shown in the figure below, configure the FortiGate so that when you access 192.168.75.111 port 20022 from a client that exists beyond port1, port forwarding is performed to 192.168.200.111 port 22 (SSH) that exists beyond port2.
Create Virtual IP
For port forwarding (destination NAPT) with FortiGate, create and use a virtual IP.
You can create one on the [Policy & Objects > Virtual IPs] screen.
In the case of this configuration example, configure as shown in the image below.
- External IP address/range
- Destination IP address before translation
- Map to IPv4 address/range
- Destination IP address after conversion
- External service port
- Destination port before translation
- Map to IPv4 port
- Translated destination port
Configure Firewall Policy with Virtual IP
Configure a firewall policy to allow port-forwarded traffic.
Specify the Virtual IP created in advance for Destination as shown below. For Service, specify the converted port. (SSH (port 22) in this example.)
Operation test
Make SSH access to 192.168.75.111:20022 from the client and check if you can SSH access to the server (192.168.200.111).
Then, I was able to confirm that SSH access is possible as follows.
[root@Client ~]# ssh -l root -p 20022 192.168.75.111
root@192.168.75.111's password:
Last login: Sun Oct 2 16:37:15 2022 from 192.168.75.10
[root@MAIL-SV ~]#If you then check the FortiGate traffic logs, you will see that the destination has been translated.
Comments