Step 6: Port Forwarding with NAT¶
This section shows an example of a single inbound Network Address Translation (NAT) port forward, also known as NAT pinholes or port mapping, to access an internal web host.
Although VPN connections are preferred, sometimes it is desired, or necessary, to provide direct access to an internal networked device.
Use good judgement AND action when permitting access to the network connected device from the outside.
Good practices on internet accessible devices:
Change all default passwords
Only provide access to needed ports
Update firmware to latest and periodicly
Include source addresses in ACLs (access control lists) rules whenever possible
Don’t use low grade-dog-food networked products - if the vendor does not put their name on the product, definitely avoid it
With due diligence (see above), NAT port forwarding can be used to provide specific outside access to inside networked devices.
In this recipe, we setup NAT port forwarding to an internal system with a web interface to provide remote access to a support technician.
NAT Port Forwarding¶
Define NAT port forwarding rule:
vpf nat ruleset WAN-nat
rule 100
description Forward TCP port 8443
direction in
dynamic
protocol tcp
from ipv4-prefix 198.51.100.0/24
to ifaddrs WAN
to port 8443
nat-prefix 172.21.89.12/32
nat-port 8443
exit
exit
Permit Port Forward Traffic with ACL¶
Traffic that is port forwarded by NAT must also be permitted by a rule in the WAN filtering ruleset.
vpf filter ruleset WAN-filter
rule 100
description Permit from Corp to TCP-8443
pass
direction in
stateful
protocol tcp
from ipv4-prefix 198.51.100.0/24
to ifaddrs WAN
to port 8443
exit
exit
The internal web host is should now be accessible from permitted IP addresses. Test to confirm that the configuration is correct.