Hopefully I understand your question correctly, let me know if I missed the boat...

Your traffic flow depiction is correct.

At the moment, the public IP is dynamic & hasn't changed in over a year but, I checked it to ensure it matched what is recoreded in our registrar's DNS recored.

NAT is set Hide behind the gateway & the internal IP address of the server the traffic is to route to is correct.

Hi @Jon_AK 

Two things came into my mind:

1. Maybe tcp443 and tcp80 is a restricted port for the SMB appliances from outside, therefore the connection won't work for them, and work only for tcp8081.
2. If we talk about reaching servers from outside, I use Static NAT setting. 

Types of NAT Methods

Static:

The Security Gateway changes the source IP address of all connections from a source to the IP address your configure.

Notes:

When you configure Static NAT, the Security Gateway allows external traffic to access internal resources.
If you enable this configuration in an object that represents one IP address (a Host object), then this gives you a one-to-one address translation.

If you enable this configuration in an object that represents many IP addresses (a Network object, an Address Range object), then this gives you a many-to-one address translation.

The Security Gateway translates each internal IP address to a different external IP address.

Important - The range of the translated IP addresses is the same as the range of the source IP addresses.

Cheers,

Akos

Interesting.  I am still learning the functionality of the Spark 1575.  I was wondering if all incoming port 80 traffic was ignored by default.  I will certainly dive into this when I get back in a couple hours & will post back with my results.  Thanks you for the detailed explanation.... Old guys like me need a bit of "help" now & again 😉

Akos, I reviewed the article along with the settings for this 1575.  Since this is a locallly manaaged device & does not have the corporate configuration interface, the configuration settings seem to be very limited with respect to the corporate interface.  I tried the static NAT address along with several variations of this & still cannot get this to answer incoming web traffic that is not specificallly bound for port other than 80.  8081, 8086, 8080 all work first go around.  I do not see any other place in this interface for configuring a static NAT as shown in this screen capture

In the advanced options for remote access their will be a setting for reserving the port for NAT and or changing the port for remote access to avoid conflicts.

I'm afraid you're going to have to help me out here.  I'm failing to both find the setting you're indicating & why I would be changing a remote access setting to allow traffic to a web page.

Device > Advanced > Advanced Settings (search for 443)

I found that but didn't make sense to me so I didn't change it first time around.  I changed it from its default value of 8443 to 80 but still no joy with website access.  Should have also included, I disabled the setting also but still no access.

If you want 443 to work from outside you'll need to tick the box to "reserve" it else the remote access service of the appliance itself will absorb those connections.

Appreciate your continued input for this Chris.  I am not trying to use HTTPS for the web page access, just plain jane HTTP. 

Noted. To confirm nothing seen in tcpdump?

Are you using wireless or bridge interfaces on this appliance...

What value is returned when you run the following from the CLI (via SSH):

fw ctl get int fwx_bridge_use_routing

No wireless or bridge.  The 1575 is the 1st demarc, no ISP provided modem to bridge.  As for inputting the cli command, I have no idea how to access that.

To confirm are you seeing the connection redirected in the browser?

For that command (possibly low likelihood / relevance), you'll need to connect via SSH or Serial Console into the appliance using a tool like PuTTy etc.

No redirection, no action occurs.  Response from the requested command is:  fwx_bridge_use_routing = 2  Also, I modified the virtual server configuration file to reflect an ssl connection.  I get no response out of that either.  Thought that may help narrow down what may be the issue here.

Hi, it seems this is the static NAT setting

tcpdump file is attached.  I set the IP to the static NAT in the server configuration.

better to provide two tcpdump, one from internal, one from external

The dump I sent earlier is from the external side.  For internal, do you want no filters?

Internal & external dumps attached.

Hi,

What is your

1. server internal IP

2. server external IP

3. client source IP

Regards

Server IP 192.168.1.13

External IP 147.160.173.125

Client source 192.168.1.100  Internal IP of the machine I was using when logging into the 1575