Digi Connect SP User Manual page 42

dynamic rules that were created for previous communications, be those outbound (private to public) or
inbound (public to private). Also, the DMZ Forwarding rule is not used if there is a local port on the Digi device
to which the packet may be delivered. This includes TCP service listener ports as well as UDP ports that are
open for various services and clients. DMZ forwarding does not interfere with established TCP or UDP
connections, either to local ports or through configured or dynamic NAT rules. Outbound communications
(private to public) from the DMZ Server are handled in the same manner as the outbound communications
from other hosts on that same private network.
WARNING!
Forward protocol connections from external networks to the following internal devices: Enables

protocol forwarding to the specified internal devices. Currently, the only IP protocols for which protocol
forwarding is supported are:
Generic Routing Encapsulation (GRE, IP protocol 47)
Encapsulating Security Payload (ESP, IP protocol 50, tunnel mode only).
These are routing protocols that route (tunnel) various types of information between networks. If your
network needs to use the GRE or ESP protocol between the public and private networks, enable this feature
accordingly.
Forward TCP/UDP/FTP connections from external networks to the following internal devices: Specifies a

list of connections based on a specific IP port and where those connections should be forwarded to. Typically
the connecting devices come from the public side of the network and are redirected to a device on the private
side of the network.
It is possible to forward a single port or a range of ports. To forward a range of ports, specify the number of
ports in the range, in the Range Port Count field for the port forwarding entry. When a range is configured, the
first port in the range is specified, and the full range is indicated in the displayed entry information.
Note that FTP connections require special handling by NAT. This is because the FTP commands and replies are
character-based, and some of them contain port numbers in this message text. Those embedded port
numbers potentially need to be translated by NAT as messages pass between the private and public sides of
the network. In consideration of these needs, one should select FTP as the protocol type when configuring a
rule for FTP connection forwarding to an FTP server on the private network side. If you use TCP, FTP
communications may not work correctly. Note also that TCP port 21 is the standard port number for FTP.
Finally, the use of port ranges for FTP forwarding is not supported; a port count of 1 is required.
Example
For example, to enable port forwarding of RealPort data (network port 771) on a Digi Connect WAN VPN to a Digi
Connect SP with an IP address of 10.8.128.10, you would do the following:
•
Select the Enable IP Routing check box.
•
In the Forward TCP/UDP connections from external networks to the following internal devices section, type
the port forwarding information as follows, and click Add:
Socket tunnel settings
Digi Connect Family and ConnectPort TS Family User Guide
DMZ Forwarding presents security risks for the DMZ Server. Configure the DMZ Forwarding option only
if you understand and are willing to accept the risks associated with providing open access to this
server and your private network.
42