Configuring NAT Rules for FTP service

Barani_Prasad · ‎2018-08-06

HI,

I am using CheckPoint Firewall+Smart devices with R80.10. Eth0 connected to LAN with IP 175.33.0.50 and Eth1 connected to WAN with IP 192.200.4.226. I am hosting an FTP server (175.33.0.59) and CCTV DVR (175.33.0.10). I have another WAN IP 192.200.4.228 free which I want to spare for above FTP and DVR servers using any means. The Firewall's Eth0 is the gateway for my entire network.

Should I use NAT, Port Forwarding or any means so that people in Internet can able to access these servers on the said IP? Any suggestions are appreciable, please.

Jerry · ‎2018-08-06

yes indeed, you should use Static NAT from your public virtual or physical IP address towards your private one, also if you intend to use virutal one you should use proxy-arp if you're about to transfer the traffic from outisde to inside based on manual NAT rules instead of object-static-nat. All depends how you're about to design this in your network.

Jerry

Jerry · ‎2018-08-06

also

http://dl3.checkpoint.com/paid/aa/How-To-Create-Bidirectional-Static-NAT-Rule.pdf?HashKey=1533559279...

would help if you intend to use bi-dir NAT for your FTP host.

Jerry

Barani_Prasad · ‎2018-08-06

Hi,

Thanks for immediate response. Shall try during non production hours and confirm.

Barani_Prasad · ‎2018-08-06

Hi CCSE UK,

Unfortunately I could not open the link.

Regret the situation.

Jerry · ‎2018-08-07

Insufficient Privileges for this File

Our apologies, you are not authorized to access the file you are attempting to download.
If you believe this is in error please contact customer service.

http://supportcontent.checkpoint.com/documentation_download?ID=12115

try this, if not possible search google for

"How To Create Bidirectional Static NAT Rule" from Check Point"

I don't think I can attach PDF to this topic here I'm afraid ...

Jerry

Jerry · ‎2018-08-06

or

sk30197

if you plan to use manual NAT configuration for your FTP inbound connectivity.

Jerry

Vladimir · ‎2018-08-06

Hmm... Few comments, if I may:

1. You are using public IPs on both sides of the firewall. Is there a legitimate reason for it?

2. It is generally a bad idea to publish your IPs in a public forum, try to at least to obfuscate part of the addresses.

3. If you are simply creating an Automatic Static NAT for the object to be reachable from outside, it is a pretty routine operation.

So long as you are not choosing a conflicting IP, I will not have any issues making this change during normal operating hours (this is a personal opinion, verify your company change management policy for when alterations to the firewall configurations are permitted). Additionally, verify if your firewall is configured to preserve or rematch connections during policy application. If second, it may drop connections for services not explicitly configured to stay connected.

Regards,

Vladimir

Barani_Prasad · ‎2018-08-06

Hi Vladimir,

You sure can comment and and are welcome.

1. Actually I am not using public on both sides of the firewall. One is public and other is private IP.

2. All the IPs mentioned in my question are fictitious and are not what I am actually using.

3. I have a situation as mentioned in my question. Both FTP server on private IP1 port xxx and DVR server on private IP2 port xxxx shall be available to internet on the public IP2 which is not assigned to any physical port, but valid in the pool. The physical port is assigned with public IP1 in the same pool. Just a representation in the image below (my bad, I poor in drawing).

Regards,

Barani

Jerry · ‎2018-08-07

https://sc1.checkpoint.com/documents/R76/CP_R76_Firewall_WebAdmin/6724.htm

and that one ?

Jerry

Barani_Prasad · ‎2018-08-07

Hi CCSE UK,

Thanks. Shall get back after trying out.

-Barani

Are you a member of CheckMates?

Configuring NAT Rules for FTP service