Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Barani_Prasad
Participant

Configuring NAT Rules for FTP service

HI,

I am using CheckPoint Firewall+Smart devices with R80.10. Eth0 connected to LAN with IP 175.33.0.50 and Eth1 connected to WAN with IP 192.200.4.226. I am hosting an FTP server (175.33.0.59) and CCTV DVR (175.33.0.10). I have another WAN IP 192.200.4.228 free which I want to spare for above FTP and DVR servers using any means. The Firewall's Eth0 is the gateway for my entire network.

Should I use NAT, Port Forwarding or any means so that people in Internet can able to access these servers on the said IP? Any suggestions are appreciable, please.

0 Kudos
10 Replies
Jerry
Mentor
Mentor

yes indeed, you should use Static NAT from your public virtual or physical IP address towards your private one, also if you intend to use virutal one you should use proxy-arp if you're about to transfer the traffic from outisde to inside based on manual NAT rules instead of object-static-nat. All depends how you're about to design this in your network.

Jerry
0 Kudos
Jerry
Mentor
Mentor

also

http://dl3.checkpoint.com/paid/aa/How-To-Create-Bidirectional-Static-NAT-Rule.pdf?HashKey=1533559279...

would help if you intend to use bi-dir NAT for your FTP host.

Jerry
0 Kudos
Barani_Prasad
Participant

Hi,

Thanks for immediate response. Shall try during non production hours and confirm.

Barani_Prasad
Participant

Hi CCSE UK,

Unfortunately I could not open the link.

Regret the situation.

0 Kudos
Jerry
Mentor
Mentor

Insufficient Privileges for this File

Our apologies, you are not authorized to access the file you are attempting to download.
If you believe this is in error please contact customer service.

http://supportcontent.checkpoint.com/documentation_download?ID=12115

try this, if  not possible search google for

"How To Create Bidirectional Static NAT Rule"  from Check Point"

I don't think I can attach PDF to this topic here I'm afraid ...

Jerry
0 Kudos
Jerry
Mentor
Mentor

or

sk30197

if you plan to use manual NAT configuration for your FTP inbound connectivity.

Jerry
0 Kudos
Vladimir
Champion
Champion

Hmm... Few comments, if I may:

1. You are using public IPs on both sides of the firewall. Is there a legitimate reason for it?

2. It is generally a bad idea to publish your IPs in a public forum, try to at least to obfuscate part of the addresses.

3. If you are simply creating an Automatic Static NAT for the object to be reachable from outside, it is a pretty routine operation.

So long as you are not choosing a conflicting IP,  I will not have any issues making this change during normal operating hours (this is a personal opinion, verify your company change management policy for when alterations to the firewall configurations are permitted). Additionally, verify if your firewall is configured to preserve or rematch connections during policy application. If second, it may drop connections for services not explicitly configured to stay connected.

Regards,

Vladimir

0 Kudos
Barani_Prasad
Participant

Hi Vladimir,

You sure can comment and and are welcome.

1. Actually I am not using public on both sides of the firewall. One is public and other is private IP.

2. All the IPs mentioned in my question are fictitious and are not what I am actually using.

3. I have a situation as mentioned in my question. Both FTP server on private IP1 port xxx and DVR server on private IP2 port xxxx shall be available to internet on the public IP2 which is not assigned to any physical port, but valid in the pool. The physical port is assigned with public IP1 in the same pool. Just a representation in the image below (my bad, I poor in drawing).

SImple representation of my requirement.

Regards,

Barani

Jerry
Mentor
Mentor

0 Kudos
Barani_Prasad
Participant

Hi CCSE UK,

Thanks. Shall get back after trying out.

-Barani

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events