We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.

Barracuda NextGen Firewall X

Example - Configuring a DNAT Access Rule

  • Last updated on

To reach services running on servers in the DMZ behind the firewall, configure a Destination NAT (DNAT) rule to forward the traffic arriving on the WAN port to the correct server and port in the DMZ.

dnat_rule.png

Video

Watch the video below to see an example DNAT access rule configured on the Barracuda NextGen Firewall X-Series:

Before you Begin

  • Create a new network object containing the IP addresses of all web servers you want to redirect traffic to. If you want to redirect to a different port, you cannot use network objects.
  • Create a network object containing your public IP address. For this example, our public IP address is 62.99.0.51.
  • Verify that there is no local firewall service listening on that IP address. To forward IPsec traffic, go to VPN > Settings and set Use Dynamic IPs to No.

Step 1. Configure a DNAT Access Rule

This example creates a DNAT access rule that allows HTTP traffic from the Internet to the web server residing in the DMZ.

  1. Go to the FIREWALL > Firewall Rules page.
  2. Click Add Access Rule to create a new access rule.
  3. In the Add Access Rule window, enter a name and description for the rule.
  4. Specify the following settings:

    ActionConnectionSourceNetwork ServicesDestinationRedirect
    DNATNo SNATInternetHTTP+SEither 62.99.0.51 or the WAN-ISP1 Network Object

     network object containing one or more IP addresses
    or
    IP address:port 172.16.0.10:8080

    To enter a combination of address:port, paste it from the clipboard
    into the edit field.

    DNAT_example_67.png

  5. Click Save.

Step 2. (optional) Load Balancing Additional Web Servers in the DMZ

To redirect to more than one web server in cycle (round robin) or fallback mode, you can either add additional IP addressees to the network object, or enter additional IP addresses to the Redirect  list. In fallback mode, all traffic is sent to the first IP address in the list (or network object). If that IP address is no longer reachable, traffic is sent to the second, and so forth. In cycle mode, the traffic is distributed to all IP addresses in the Redirect list based on the source IP address of the traffic. In this example, we used a network object containing 2 IP addresses (172.16.0.11 and 172.16.0.12) and left the original IP address 172.16.0.10 on port 8080 from step 2. HTTP and HTTPS traffic is now cycled between:

  • 172.16.0.10:8080
  • 172.16.0.11 port 80 or 443 as the chosen network services HTTP+S allows for those ports
  • 172.16.0.12 port 80 or 443 as the chosen network services HTTP+S allows for those ports 

DNAT_example02_67.png

Step 3. Verify the Order of the Access Rules

New rules are created at the bottom of the firewall ruleset. Rules are processed from top to bottom in the ruleset. Drag your access rule to a slot in the rule list, so that no access rules before it matches this traffic. Verify that your rules are placed above the BLOCKALL rule. Otherwise, the rule never matches.

After adjusting the order of the rules in the ruleset, click Save.

Last updated on