Sophos Firewall V18: How to configure NAT to change port for server with WAN IP as static IP

1.The purpose of the article

In system administration, the need to nat a server to the internet is essential for remote administration.

But how can you nat devices to the internet when they have the same administrative access port or for security reasons we need to change the external access port of services like SSH, Remote Desktop … .

In this article, techbast will guide you on how to configure NAT to change the port so that we can make the server go out to the internet when encountering the above situation.



  • The internet connection is connected at Port 2 with a static IP of 10,150.30.106.
  • LAN subnet configured at Port 1 with IP and DHCP configured.
  • Finally, a server running Windows Server 2016 is connected to the Sophos Firewall’s LAN and has a static IP of


As you can see, the port of the remote desktop service is too common and very vulnerable to hackers.

So in this article techbast will change the server’s remote desktop service port to the internet with port 3390 to ensure security.

4.What to do

  • Create profile for the server.
  • Create profile for service 3389 and 3390.
  • Create NAT policy.
  • Create Firewall rule.
  • Result


5.1.Create profile for the server.

To create, go to SYSTEM > Hosts and services > click Add.

Create with the following information:

  • Name *: Windows_Server.
  • IP version *: IPv4.
  • Type *: IP.
  • IP address *:
  • Click Save.

5.2. Create profile for service 3389 and 3390.

To create, go to SYSTEM > Hosts and services > Services > click Add.

Create a profile for service 3389 with the following parameters:

  • Name *: Remote Desktop_1
  • Type *: TCP/UDP.
  • Protocol: TCP.
  • Source port: 1:65535.
  • Destination port: 3389.
  • Click Save.

Similarly, create a profile for service 3390 with the following parameters.

  • Name *: Remote Desktop_2
  • Type *: TCP/UDP.
  • Protocol: TCP.
  • Source port: 1:65535.
  • Destination port: 3390.
  • Click Save.

5.3.Create NAT policy.

To create, go to PROTECT > Rules and policies > NAT rules > Add NAT rule > New NAT rule.

Create a NAT policy with the following parameters:

  • Rule status: ON.
  • Rule name *: NAT_Remote_Desktop.
  • Rule position: Top.
  • Original source *: Any.
  • Original destination *: #Port2 (port wan).
  • Original service *: select Remote_Desktop_2.
  • Translated source (SNAT): Original.
  • Translated destination (DNAT): select Windows_Server.
  • Translated service (PAT): select Remote_Desktop_1.
  • Inbound interface *: select #Port2.
  • Outbound interface *: Any.
  • Click Save.

5.4.Create Firewall rule.

By default, the firewall will block traffic from outside the internet from entering the LAN.

So for NAT policy to work, we need to create a firewall that allows traffic with this service.

To create, go to PROTECT > Rules and policies > Add firewall rule > New firewall rule.

Create the following parameters according to the following figure.

Click Save.


To check the results techbast will use a computer outside the internet to remote desktop to the server in the LAN with port 3390.

To access the server open the Remote Desktop Connection application and enter (WAN IP:3390).

Enter the server account and password.

Click Yes when asked for the certificate.

The server access window has appeared, so we have successfully changed the port so that users from the outside can access the server using port 3390.


Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.