Cyberoam Port Forwarding using Virtual Host

This article describes  Cyberoam port forwarding using virtual host from external to internal LAN IP address.

Article covers how to

·       Create virtual host

·       Create firewall rule to allow the inbound traffic

Virtual host

Virtual host implementation is based on the Destination NAT concept of older versions of Cyberoam.

Virtual Host maps services of a public IP address to services of a host in a private network. In other words, it is a mapping of public IP address to an internal IP address. This virtual host is used as the Destination address to access internal or DMZ server.

A Virtual host can be a single IP address or an IP address range or Cyberoam interface itself. Cyberoam will automatically respond to the ARP request received on the WAN zone for the external IP address of Virtual host.
Sample schema

Throughout the article we will use the network parameters displayed in the below given network diagram. Outbound traffic from LAN and DMZ is allowed while inbound traffic is restricted. The public servers – mail and web server are hosted in DMZ.
Network components External IP address (Public) IP address (Internal)
Web server 203.88.135.208 192.168.1.4 (Mapped)
Mail server 204.88.135.192 192.168.1.15 (Mapped)

For virtual host:

External IP: IP address through which Internet user’s access internal server.

Mapped IP: IP address bound to the internal server.

Configuration

The entire configuration is to be done from Web Admin Console with user having Administrator profile.

Step 1: Create virtual host for Web server
Go to Firewall –> Virtual Host and click on “Add” button to add a virtual host with the parameters as specified in sample schema.
In our example, Internet users will access internal web server using public IP 203.88.135.208 which is mapped to local IP 192.168.1.4. In other words, all the inbound requests from 203.88.135.208 will be forwarded to 192.168.1.4.
Parameters Value
Name WebServer
External IP 203.88.135.208Public IP address is the IP address through which Internet user’s access internal server/host.
Mapped IP 192.168.1.4Mapped IP is the IP address to which the external IP address is mapped. This is the actual private IP address of the host being accessed using the virtual host.
Physical Zone DMZ
Click on OK and the Virtual Host ‘WebServer’ has been added successfully.
Note

·         If servers are hosted on LAN, change the Physical Zone to LAN.

·         In case you have custom zones, change the Physical Zones accordingly.

·         Public IP address is the IP address through which Internet user’s access internal server/host. If public IP address is already configured as main Interface IP or alias IP, then use the option – Interface IP to select it as an external IP or else Create the host of the IP and select it from the IP address.
Step 2: Create virtual host for Mail server
Go to Firewall –> Virtual Host and click on “Add” button to add a virtual host with the parameters as specified in sample schema.
In our example, Internet users will access internal mail server using public IP 203.88.135.192 which is mapped to local IP 192.168.1.15. In other words, all the inbound requests from 203.88.135.192 will be forwarded to 192.168.1.15.
Parameters Value
Name Mailserver
External IP 203.88.135.192

Public IP address is the IP address through which Internet user’s access internal server/host.Mapped IP192.168.1.15

Mapped IP is the IP address to which the external IP address is mapped. This is the actual private IP address of the host being accessed using the virtual host.Physical ZoneDMZ

Click on OK and the Virtual Host ‘MailServer’ has been added successfully.
Step 3: Loopback firewall rule

Once the virtual host is created successfully, Cyberoam automatically creates a loopback firewall rule for the zone of the mapped IP address. Loopback firewall rule is created for the service specified in virtual host.
Loopback rules allow same zone internal users to access the internal resources using its public IP (external IP) or FQDN.

For our example, DMZ to DMZ firewall rule is created as virtual host (mapped IP address) belongs to DMZ interface subnet.

Check creation of loopback rule from Firewall –> Rule


Step 4: Add Firewall rules
Rule 1
Go to Firewall –> Rule and add a firewall rule for WebServer with the parameters as displayed in the below given screens.
Click OK and the Firewall Rule will be created successfully.

Rule 2
Go to Firewall ® Rule and add a firewall rule for MailServer with the parameters as displayed in the below given screens.
Click OK and the Firewall Rule will be created successfully.
Note

Change the Destination Host according to the actual server Location (Zone).
To create firewall rules to allow internal users to access resources in DMZ using its public IP (external IP) or FQDN follow the below mentioned steps:
Go to Firewall ® Rule and add a firewall rule for each server with the parameters as displayed in the below given screens.
Click OK and the Firewall Rule for Web Server will be created successfully.
Click OK and the Firewall Rule for Mail Server will be created successfully.

Note:

DO NOT “Apply NAT” for inbound SMTP rules. This will setup the MailServer as an OPEN RELAY.

Cyberoam Websitehttp://www.cyberoam.com/

Damjan MOMIROVSKI

ICT Implementation Engineer, Infrastructure services and Network solutions.