How To Configure Port Forwarding using Virtual Host to

access
devicesusing
on Virtual
Internal
How To Configure
Port Forwarding
Host tonetwork
access devices on Internal network

Applicable Version: 10.04.0 Build 214, 304, 311, 338

Overview
This article demonstrates steps to configure Cyberoam to provide the access of internal resources
using virtual host.
Virtual host implementation is based on the Destination NAT concept of older versions of Cyberoam.
Virtual Host maps services of a public IP address to services of a host in a private network. In other
words, it is a mapping of public IP address to an internal IP address. This virtual host is used as the
Destination address to access internal or DMZ server.
A Virtual host can be a single IP address or an IP address range or Cyberoam interface itself.
Cyberoam will automatically respond to the ARP request received on the WAN zone for the external
IP address of Virtual host.
Cyberoam allows Port Forwarding for Virtual Hosts. Additionally, Cyberoam allows configuring a Port
list for the virtual host. The ports within the list can be comma separated. It can be mapped against a
Port List or a Port. Further a Port Range can now also be mapped against a single port. This creates
one to one mapping or many to one mapping between the external port and the mapped port.
Example:
Port Forwarding Type
(External Port Type to Mapped Port Type)

External Ports

Mapped Ports

Port List to Port List

22, 24, 26, 28, 30

42, 44, 46, 48, 50

Port List to a Port

22, 24, 26, 28, 30

20

Port Range to a Port

21 - 26

28

In case of Port List to Port List mapping, number of ports must be same for both, External Ports and
Mapped Ports. Request received on first external port will be redirected to first mapped port; second
request on external port will be redirected to second mapped port and so on. From the example
above, for Port List to Port List type of configuration, any request received for external ports 22, 24,
26, 28, 30 will be forwarded respectively to mapped ports 42, 44, 46, 48, 50.
Note:
For a single virtual host, a maximum of 16 ports can be configured in a Port List.

All the ports within a Port List support single protocol viz., either a TCP or a UDP protocol as per
the configuration. A combination of both of these protocols within a Port List is not allowed.

Scenario
Throughout the article we will use the network parameters shown in the network diagram given
below. Outbound traffic from LAN and DMZ is allowed while inbound traffic is restricted. The Web
Server is hosted in the DMZ.

How To Configure Port Forwarding using Virtual Host to access devices on Internal network

Network
components

External IP address
(Public)

IP address (Internal)

Web server

1.1.1.1

192.168.1.2 (Mapped)

For virtual hosts:

External IP: IP address through which Internet users access internal server.
Mapped IP: IP address bound to the internal server.

User over WAN

Cyberoam WAN IP
1.1.1.1

Cyberoam LAN IP
192.168.1.1/24

Web Server
192.168.1.2/24

DMZ 192.168.1.0/24

LAN 191.168.2.0/24

Configuration
You must be logged on to the Web Admin Console as an administrator with Read-Write permission
for relevant feature(s).

Step 1: Create Virtual Host for Web server

Go to Firewall > Virtual Host > Virtual Host and click Add to add virtual host for Web Server with
the parameters as specified in the table below.
Parameters

Value

Description

Basic Settings
Name

IP Family

WebServer

Specify a name to identify the host

IPv4

Select the IP Family.

Available Options:
IPv4
IPv6

How To Configure Port Forwarding using Virtual Host to access devices on Internal network

1.1.1.1

External IP

Specify the external/public IP address on

which the Host will be accessed.

Mapped IP

192.168.1.2

Specify the Internal/private IP Address of

the Web Server.

Physical Zone

DMZ

Specify the zone in which the host resides

Enabled

Click to enable
forwarding.

TCP

Select the protocol TCP or UDP that you

want the forwarded packets to use.

Port Forwarding
Enable
Forwarding

Port

Protocol

the

service

of

port

Select the type of external port from the

available options:
External Port Type

Port

External Port

80

Available Options:
Port
Port Range
Port List
Specify public port number for which you
want to configure port forwarding.
Mapped Port Type - Select the type of
mapped port from the available options:

Mapped Port Type

Mapped Port

Port

80

Available Options:
Port
Port Range
Port List
Specify mapped port number on the
destination network to which the public port
number is mapped.

How To Configure Port Forwarding using Virtual Host to access devices on Internal network

Click OK and the Virtual Host for Web_Server will be added successfully.
On clicking OK, the Add Firewall Rules For Virtual Host screen appears which allows you to create
firewall rules to allow access to Web_Server from other zones such as WAN zone.
Enable Add Firewall Rule(s) For Virtual Host and set rule parameters as desired.

Click Add Rule(s) to add the firewall rule.

Note:
-

In the given example, Virtual Host configuration for Web Server is shown. Virtual Host for other
servers like Mail Server, FTP Server or Database Server can be created similarly.

How To Configure Port Forwarding using Virtual Host to access devices on Internal network

While adding the Firewall Rule for the Virtual Host, it is recommended to allow only the required
services corresponding to the Server for security of the hosted server.

Step 3: Verify Firewall Rule(s)

To verify the Firewall Rules, go to Firewall > Rule > IPv4 Rule. Click
to expand the DMZ DMZ
DMZ WAN and WAN DMZ firewall rules. As shown in the image, three firewall rules are created
for the virtual host of Web Server as shown in the image below.
1. Auto: Allows traffic from WAN to Server
2. Reflexive: Ensures that traffic from Server to WAN is NATted.
3. Loopback: Allows access to server from the same zone, LAN or DMZ, in which Server is placed.

Document Version 2.0 09 February, 2015