How To Configure Port Forwarding using Virtual Host to access devices on Internal network

How To Configure Port Forwarding using Virtual Host to access devices on Internal network

Applicable to Version: 10.00 onwards This article describes a detailed configuration example that demonstrates how to configure Cyberoam to provide the access of internal resources. Article covers how to Create virtual host Create firewall rule to allow the inbound traffic

Virtual host Virtual host implementation is based on the Destination NAT concept of older versions of Cyberoam. Virtual Host maps services of a public IP address to services of a host in a private network. In other words, it is a mapping of public IP address to an internal IP address. This virtual host is used as the Destination address to access internal or DMZ server. A Virtual host can be a single IP address or an IP address range or Cyberoam interface itself. Cyberoam will automatically respond to the ARP request received on the WAN zone for the external IP address of Virtual host. Sample schema Throughout the article we will use the network parameters displayed in the below given network diagram. Outbound traffic from LAN and DMZ is allowed while inbound traffic is restricted. The public servers - mail and web server are hosted in DMZ. Network components Web server Mail server External IP address (Public) 203.88.135.208 204.88.135.192

IP address (Internal) 192.168.1.4 (Mapped) 192.168.1.15 (Mapped)

For virtual host: External IP: IP address through which Internet users access internal server. Mapped IP: IP address bound to the internal server.

How To Configure Port Forwarding using Virtual Host to access devices on Internal network

Configuration The entire configuration is to be done from Web Admin Console with user having Administrator profile. Step 1: Create virtual host for Web server Go to Firewall Virtual Host and click on Add button to add a virtual host with the parameters as specified in sample schema In our example, Internet users will access internal web server using public IP 203.88.135.208 which is mapped to local IP 192.168.1.4. In other words, all the inbound requests from 203.88.135.208 will be forwarded to 192.168.1.4.

How To Configure Port Forwarding using Virtual Host to access devices on Internal network

Parameters Name

Value WebServer 203.88.135.208

External IP

Public IP address is the IP address through which Internet users access internal server/host. 192.168.1.4 Mapped IP is the IP address to which the external IP address is mapped. This is the actual private IP address of the host being accessed using the virtual host. DMZ

Mapped IP

Physical Zone

How To Configure Port Forwarding using Virtual Host to access devices on Internal network

Click on OK and the Virtual Host WebServer has been added successfully. Note If servers are hosted on LAN, change the Physical Zone to LAN. In case you have custom zones, change the Physical Zones accordingly. Public IP address is the IP address through which Internet users access internal server/host. If public IP address is already configured as main Interface IP or alias IP, then use the option Interface IP to select it as an external IP or else Create the host of the IP and select it from the IP address.

Step 2: Create virtual host for Mail server Go to Firewall Virtual Host and click on Add button to add a virtual host with the parameters as specified in sample schema In our example, Internet users will access internal mail server using public IP 203.88.135.192 which is mapped to local IP 192.168.1.15. In other words, all the inbound requests from 203.88.135.192 will be forwarded to 192.168.1.15.

How To Configure Port Forwarding using Virtual Host to access devices on Internal network

Parameters Name

Value Mailserver 203.88.135.192

External IP

Public IP address is the IP address through which Internet users access internal server/host. 192.168.1.15 Mapped IP is the IP address to which the external IP address is mapped. This is the actual private IP address of the host being accessed using the virtual host. DMZ

Mapped IP

Physical Zone

How To Configure Port Forwarding using Virtual Host to access devices on Internal network

Click on OK and the Virtual Host MailServer has been added successfully.

Step 3: Loopback firewall rule Once the virtual host is created successfully, Cyberoam automatically creates a loopback firewall rule for the zone of the mapped IP address. Loopback firewall rule is created for the service specified in virtual host. Loopback rules allow same zone internal users to access the internal resources using its public IP (external IP) or FQDN. For our example, DMZ to DMZ firewall rule is created as virtual host (mapped IP address) belongs to DMZ interface subnet. Check creation of loopback rule from Firewall Rule

How To Configure Port Forwarding using Virtual Host to access devices on Internal network

Step 4: Add Firewall rules Rule 1 Go to Firewall Rule and add a firewall rule for WebServer with the parameters as displayed in the below given screens.

How To Configure Port Forwarding using Virtual Host to access devices on Internal network

Click OK and the Firewall Rule will be created successfully. Rule 2 Go to Firewall Rule and add a firewall rule for MailServer with the parameters as displayed in the below given screens.

How To Configure Port Forwarding using Virtual Host to access devices on Internal network

Click OK and the Firewall Rule will be created successfully. Note Change the Destination Host according to the actual server Location (Zone).

To create firewall rules to allow internal users to access resources in DMZ using its public IP (external IP) or FQDN follow the below mentioned steps: Go to Firewall Rule and add a firewall rule for each server with the parameters as displayed in the below given screens.

How To Configure Port Forwarding using Virtual Host to access devices on Internal network

Click OK and the Firewall Rule for Web Server will be created successfully.

How To Configure Port Forwarding using Virtual Host to access devices on Internal network

Click OK and the Firewall Rule for Mail Server will be created successfully. Note: DO NOT Apply NAT for inbound SMTP rules. This will setup the MailServer as an OPEN RELAY.

Document version - 2.0-11/05/2011