Port forwarding can be configured on the Internet or VPN interface. Port Forwarding is only necessary in Many-to-One NAT situations. When configuring Port Forwarding on the Internet Interface, it is also necessary to define a separate Internet firewall rule to allow the traffic into the VPN Gateway. If this step is neglected, the traffic will never get into the VPN Gateway to be forwarded.

The Port Forwarding feature is used where a many-to-one NAT is being used and a server connected to the VPN Gateway local LAN interface needs to be contacted either directly from the Internet or from the enterprise network through the VPN tunnel. In this case the VPN Gateway will forward IP packets either received from the Internet or through a VPN tunnel, sending them to the local LAN. This feature is necessary when using many to one NAT as traffic sent to any host behind the VPN Gateway will appear to have the same target IP address.

The VPN Gateway recognizes the real target IP address through a port mapping. If traffic must be initiated from the Internet or VPN and sent directly to a server on the local LAN interface, port mapping is required to determine the real target server IP address. Without this mapping the VPN Gateway would be unable to forward the IP packet. This is accomplished by mapping a specific port and protocol to a specific known IP address on the VPN Gateway local LAN.

As port forwarding maps a particular destination port and protocol to a single IP address behind the VPN Gateway, you are limited to defining a single IP address for each port and protocol. For example: you would only be able to forward IP packets with a TCP destination port of 80 (typical web server port) to one IP address on the LAN. You would therefore be limited to a single workstation running a web server on TCP port 80 behind the VPN Gateway. Additional forwarding rules can be configured for other ports and protocols as long as the port and protocol pair remains unique.

The Port Forwarding feature within the VPN Gateway is accomplished through firewall rules configured through the VPN Gateway Device Profile in the AT&T Administration Server.