Port Forwarding Configuration

Using the Single Public IP with Port Offsets mode in Imperva Load Balancing enables your site to use a single public IP address, while routing requests to several servers within your site according to the port specified in the request.

In order to work in Single Public IP with Port Offsets mode, you will need to configure your firewall to work with port forwarding, and add the appropriate access and mapping rules to route requests coming through Imperva to the correct server within your site. This appendix describes how to do this for several commonly used firewalls.

Configuring Port Forwarding for the FortiGate Firewall

To configure the FortiGate firewall to work in port forwarding mode with Imperva Load Balancing, perform the following steps.

To configure virtual IP objects for your internal site servers:

1. Access the FortiGate firewall configuration application through a browser.

   

2. In the Firewall Objects tab, select Virtual IP under the Virtual IP group.

3. Click Create New. A window opens in which you can enter details for a virtual IP address for an internal site server.

   

4. In the Name field, enter a name for the virtual IP object.
5. In the External Interface field, select the appropriate external interface.
6. In the External IP Address/Range field, enter the external public IP address.
7. In the Mapped IP Address/Range, enter the IP address of the internal web server.
8. Check the Port Forwarding checkbox.
9. In the Protocol field, select the appropriate protocol (should be TCP).
10. In the External Service Port field, enter the port to which Imperva will refer.
11. In the Map to Port field, enter the internal port to which requests to the specified external port will be routed.
12. Click OK.
13. Repeat steps (3)-(12) for each internal server.

Note: If you have not already done so, add an Address object for each internal server in the FortiGate Firewall Objects\Address page.

To add a policy rule that allows Imperva to access your servers:

1. Open the FortiGate Policy page and click Create New. A window opens in which you can enter details for the new policy rule.

   

2. In the Source Address field, click to add Imperva prefixes.
3. In the Destination Address field, click to add an IP address for an internal VIP. Repeat for each internal VIP.
4. In the Schedule field, select "always".
5. In the Service field, select the appropriate protocol (usually HTTP or HTTPS).
6. In the Action field, select "ACCEPT".
7. Click OK.

Configuring Port Forwarding for the Cisco ASA Firewall

You can configure port forwarding for the Cisco ASA firewall using either the ASA Command Line Interface (CLI) or the Adaptive Security Device Manager UI application. In both cases you must perform the following actions:

• Allow Inside users to access the Internet.
• Enable the Inside web server to provide HTTP services to the Internet.
• Allow Outside users to access your web server.

Following are examples of how to configure port forwarding for the Cisco ASA firewall.

To configure port forwarding for the Cisco ASA Firewall using the CLI:

1. Enter the ASA CLI.

2. Create objects for your Inside network.

   LAB-ASA5505-01# conf t

   LAB-ASA5505-01# object network INSIDE-SUBNET

   LAB-ASA5505-01# subnet 172.20.10.0 255.255.255.0

   LAB-ASA5505-01# exit

3. Create objects for your web server.

   LAB-ASA5505-01# object network WWW-SERVER

   LAB-ASA5505-01# host 172.20.10.100

   LAB-ASA5505-01# exit

4. Configure Network Address Translation (NAT) so your Inside users can browse the web.

   LAB-ASA5505-01# object network INSIDE-SUBNET

   LAB-ASA5505-01# nat (inside,outside) dynamic interface

5. Create a static NAT entry for your web server to your (single) public IP address and configure static NAT with port forwarding.

   LAB-ASA5505-01# object network WWW-SERVER

   LAB-ASA5505-01# nat (inside,outside) static interface service tcp 80 80

6. Configure an access list to allow Outside traffic to visit port 80 (HTTP) as your Outside interface.

   LAB-ASA5505-01# access-list Outside_access_in extended permit tcp any object WWW-SERVER eq 80

   LAB-ASA5505-01# access-group Outside_access_in in interface Outside

7. Verify your NAT configuration.

   LAB-ASA5505-01# show nat

   Auto NAT Policies (Section 2)

8. 1 (Inside) to (Outside) source static WWW-SERVER interface service tcp www www

   translate_hits = 0, untranslate_hits = 2

9. (Inside) to (Outside) source dynamic INSIDE-SUBNET interface

   translate_hits = 6, untranslate_hits = 0

10. Examine the hit count in the access list and verify that it is increasing.

    LAB-ASA5505-01# sh access-list

    access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

    alert-interval 300

    access-list Outside_access_in; 2 elements; name hash: 0xe796c137

    access-list Outside_access_in line 1 extended permit icmp any any echo-reply (hitcnt=0) 0x24ee277f

    access-list Outside_access_in line 2 extended permit tcp any object WWW-SERVER eq www (hitcnt=4) 0xb7fcf341

    access-list Outside_access_in line 2 extended permit tcp any host 172.20.10.100 eq www (hitcnt=4) 0xb7fcf341

To configure port forwarding for the Cisco ASA Firewall Using the ASDM UI application:

1. Launch the ASDM application.

2. Click New object to create a new NAT object and click on the NAT drop-down.

3. Enable Add Automatic Address Translation Rules and select Static as the type. In theTranslated Addr drop-down, select Outside.

4. Click the Advanced button.

   

5. Select the Source Interface and the Destination Interface.

6. In the Service section, in the Protocol drop-down, select "tcp".

7. Enter the Real Port and Mapped Port values (for example, set both values to www, http or 80).

8. Click OK.

   

Configuring Port Forwarding for the Juniper SRX Firewall

To configure port forwarding for the Juniper SRX firewall, you must perform a NAT redirect in the Juniper CLI. This section describes an example of how to do this for addresses and ports of two origin servers (the addresses and ports on the left are configured in Imperva and the addresses and ports on the right are the internal IPs and ports used within your network):

172.16.1.2:22 --> 192.168.1.5:2222

172.16.1.2:3389 --> 192.168.1.6:3389

To configure port forwarding for the Juniper SRX firewall:

1. Configure the real addresses of the servers using address-book entries.

   set security zones security-zone trust address-book address Server1 192.168.1.5/32

   set security zones security-zone trust address-book address Server2 192.168.1.6/32

2. Define the pre-translated ports.

   set applications aplication SSH-DNAT protocol tcp

   set applications application SSH-DNAT destination-port 2222

   set applications application RDP protocol tcp

   set applications application RDP destination-port 3389

3. Define each server and port. (These settings relate to the real IP and port configured on the server.)

   set security nat destination pool dnat-192_168_1_5m32 address 192.168.1.5/32

   set security nat destination pool dnat-192_168_1_5m32 address port 22

   set security nat destination pool dnat-192_168_1_6m32 address 192.168.1.6/32

   set security nat destination pool dnat-192_168_1_6m32 address port 3389

4. Configure the NAT policy (specify the NAT pool to which traffic should be translated). This defines both the destination IP and destination port address.

   set security nat destination rule-set dst-nat from zone untrust

5. Configure the port forwarding rule for the first origin server.

   set security nat destination rule-set dst-nat rule rule1 match destination-address 172.16.1.2/32

   set security nat destination rule-set dst-nat rule rule1 match destination-port 2222

   set security nat destination rule-set dst-nat rule rule1 then destination-nat pool dnat-192_168_1_5m32

6. Configure the port forwarding rule for the second origin server.

   set security nat destination rule-set dst-nat rule rule2 match destination-address 172.16.1.2/32

   set security nat destination rule-set dst-nat rule rule2 match destination-port 3389

   set security nat destination rule-set dst-nat rule rule2 then destination-nat pool dnat-192_168_1_6m32

7. Configure the security policy. Note that the internal (real) IP address and port of the server are defined within the policy.

   set security policies from-zone untrust to-zone trust policy untrust-to-trust1 match source-address any

   set security policies from-zone untrust to-zone trust policy untrust-to-trust1 match destination-address server1

   set security policies from-zone untrust to-zone trust policy untrust-to-trust1 match application SSH

   set security policies from-zone untrust to-zone trust policy untrust-to-trust1 then permit

   set security policies from-zone untrust to-zone trust policy untrust-to-trust2 match source-address any

   set security policies from-zone untrust to-zone trust policy untrust-to-trust2 match destination-address server2

   set security policies from-zone untrust to-zone trust policy untrust-to-trust2 match application RDP

   set security policies from-zone untrust to-zone trust policy untrust-to-trust2 then permit

Read More

• Load Balancing Settings
• Load Balancing Monitoring Settings