This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Suspend
Explorer
‎2019-08-31 03:44 PM
Jump to solution

750 Appliance with a DMZ'ed FTP Server

Hello, I was hoping to get some help setting up an FTP server on the DMZ port of a 750 Series Appliance.  I guess I'm actually looked for a "best-practice" technique because I'm not sure what I've done is the "proper" way.

We have a static IP address for our internet connection and also have an additional static IP available for the FTP server, if desired.  I'd be happy using either.

So, I have the 750 setup and working.  I activated the DMZ port and gave it an internal IP.  I setup an FTP machine on that subnet, plugged it into the DMZ port.  Then setup a "server" object to forward the FTP ports to the FTP server's IP.  I currently have the NAT for the server object set to "Hide Behind Gateway (port forwarding).

Now, this setup works by accessing our main IP address BUT the FTP server software sees all incoming FTP connections as coming from our main (external) IP address.  Not the actual originating IP address of the client.  So it seems to me like the incoming traffic is getting "NAT"ed to our internet IP.  (Is that possible?)

At this point I don't know what I'm doing wrong.  What I'd like is for the FTP Software to see incoming FTP connections with the originating IP address.  This way I could block/ban certain IP's.  Right now I can't block any IP's because everything is coming in with our public IP address.

I've love an explanation of the correct way to do this.

 

Thanks....

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2019-09-01 02:02 PM
In response to Suspend
Jump to solution

My bad, actually you need to uncheck the "Force translated traffic to return to the gateway" option.

View solution in original post

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2019-09-01 08:56 AM
Jump to solution

Uncheck "Hide behind Gateway IP" in the Server object.
0 Kudos
Suspend
Explorer
‎2019-09-01 09:45 AM
In response to PhoneBoy
Jump to solution

Thanks for the quick reply!!

The "Hide Behind Gateway (port forwarding)" option cannot be "unchecked".  I would have to choose a different NAT such as "Static NAT" or "No NAT".

ServerObject.jpg

I've tried Static NAT with the same results.  I haven't been able to get "No NAT" to work because I don't understand what they mean by "Server's IP address is accessible from the internet".  I thought maybe that means I give the server computer our second public static IP but then it doesn't make sense how to configure the DMZ port because it wants to create an internal facing subnet, which seems to be counter-intuitive.

Help.  🙂

 

0 Kudos
PhoneBoy
Admin
Admin
‎2019-09-01 02:02 PM
In response to Suspend
Jump to solution

My bad, actually you need to uncheck the "Force translated traffic to return to the gateway" option.
0 Kudos
Suspend
Explorer
‎2019-09-01 02:08 PM
In response to PhoneBoy
Jump to solution

You da man!!!!  Thank you!!!  That worked.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events