topic Re: 750 Appliance with a DMZ'ed FTP Server in Spark Firewall (SMB)

750 Appliance with a DMZ'ed FTP Server

Suspend — Sat, 31 Aug 2019 22:44:11 GMT

Hello, I was hoping to get some help setting up an FTP server on the DMZ port of a 750 Series Appliance. I guess I'm actually looked for a "best-practice" technique because I'm not sure what I've done is the "proper" way.

We have a static IP address for our internet connection and also have an additional static IP available for the FTP server, if desired. I'd be happy using either.

So, I have the 750 setup and working. I activated the DMZ port and gave it an internal IP. I setup an FTP machine on that subnet, plugged it into the DMZ port. Then setup a "server" object to forward the FTP ports to the FTP server's IP. I currently have the NAT for the server object set to "Hide Behind Gateway (port forwarding).

Now, this setup works by accessing our main IP address BUT the FTP server software sees all incoming FTP connections as coming from our main (external) IP address. Not the actual originating IP address of the client. So it seems to me like the incoming traffic is getting "NAT"ed to our internet IP. (Is that possible?)

At this point I don't know what I'm doing wrong. What I'd like is for the FTP Software to see incoming FTP connections with the originating IP address. This way I could block/ban certain IP's. Right now I can't block any IP's because everything is coming in with our public IP address.

I've love an explanation of the correct way to do this.

Thanks....

Re: 750 Appliance with a DMZ'ed FTP Server

PhoneBoy — Sun, 01 Sep 2019 15:56:12 GMT

Uncheck "Hide behind Gateway IP" in the Server object.

Re: 750 Appliance with a DMZ'ed FTP Server

Suspend — Sun, 01 Sep 2019 16:45:28 GMT

Thanks for the quick reply!!

The "Hide Behind Gateway (port forwarding)" option cannot be "unchecked". I would have to choose a different NAT such as "Static NAT" or "No NAT".

I've tried Static NAT with the same results. I haven't been able to get "No NAT" to work because I don't understand what they mean by "Server's IP address is accessible from the internet". I thought maybe that means I give the server computer our second public static IP but then it doesn't make sense how to configure the DMZ port because it wants to create an internal facing subnet, which seems to be counter-intuitive.

Help. 🙂

Re: 750 Appliance with a DMZ'ed FTP Server

PhoneBoy — Sun, 01 Sep 2019 21:02:32 GMT

My bad, actually you need to uncheck the "Force translated traffic to return to the gateway" option.

Re: 750 Appliance with a DMZ'ed FTP Server

Suspend — Sun, 01 Sep 2019 21:08:55 GMT

You da man!!!! Thank you!!! That worked.