• April 22, 2019, 05:01:25 AM
Welcome, Guest. Please login or register. Registration is free.
Did you miss your activation email?

Author Topic: Problem with Publishing Simple FTP Site via CheckPoint and Application Switch  (Read 6621 times)

0 Members and 1 Guest are viewing this topic.

Offline habibalby

  • Full Member
  • ***
  • Posts: 51
Greetings...

I want to publish FTP Site via CheckPoint and Nortel NAS 3408 E.. CheckPoint sets behind the Main router, and behind the Application Switches. I have created an FTP Site in the DMZ, and wanted to publish it to the internet.

1. Created stricked rule in the Firewall to all from Outsize to DMZ simple 21 Port
2. Created stricked rule in the Firewall to all from DMZ to Internet simple 21 Port
3. In the application switch SLB, "Real Server" created with server IP Address.
4. In the application switch SLB, "Server Groups" created with the FTP Service Name and Linked to the Real Server.
5. In the application switch SLB, "Virtual Servers" created virtual servers entry with VIP Public IP Address and linked to the Services I want, FTP 21.

All these doesn't allow the connection to come inside the server, but when I try to telnet to port 80 the connection establishing. I try to open the CheckPoint rules to from Any to FTP-Server and From FTP Server to Any without specifying any service but that didn't work as well.

Any idea how to establish this?

Thanks,



Offline Flintstone

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 955
Hi habibalby,

I diagram would be good, so I will make some assumptions and let you know how I would do it?

Your firewall is connected directly to the Internet and if the public IP address of the FTP server is in the same subnet that the firewall is connected to is then setup proxy ARP on the firewall Internet interface.  Then create a security rule to allow ANY -> public IP of FTP server using FTP service.  Then setup NAT so that the ANY -> public IP, translates to VIP of your 'virtual server'.  I typically use private addressing for my VIPs.  My VIPs of the 'Virtual server' and IP addresses of the 'Real server' are on different subnets.

CheerZ and good luck

Offline habibalby

  • Full Member
  • ***
  • Posts: 51
Hello,
The FTP Server has private IP Address 192.168.20.x /24 And the VIPs Address is public IP Address which is redirecting to the private IP Address that linked to the services ports.

Offline Flintstone

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 955
Hi habibalby,

Ok, so is the application switch directly connected to the Internet and load balances to the 'Real Server' via the firewall? 

As mentioned before a diagram with IP addressing would be brilliant?

CheerZ

Offline habibalby

  • Full Member
  • ***
  • Posts: 51
Hi, I have drawn simple diagram it shows the public IPs and Private IPs.

Offline Flintstone

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 955
Hi habibalby,

Ok, as I mentioned initially the Public IP address will need to exist on the firewall and then be NAT'd to a private 'VIP' and then load-balanced to the 'Real Server'.

(Firewall)
1) Enable proxy ARP for Public FTP IP address if same IP address range as Firewall interface?
2) Add security rule - ANY -> Public FTP IP address
3) Add NAT for ANY -> Public FTP IP address, translating to private IP address of 'VIP'

(Application switch)
1) Create 'Real server' private IP address on subnet A
2) Create 'Server group' for service FTP with 'Real server' linked
3) Create 'VIP' private IP address on subnet B

Note - This is how I do it.  You could have the 'VIP' and 'Real server' in the same subnet depending on your setup?

CheerZ

Offline habibalby

  • Full Member
  • ***
  • Posts: 51
hello,

Thank you very much. I will test that and come back to you.

Appreciated.


Offline Michael McNamara

  • Administrator
  • Hero Member
  • *****
  • Posts: 3839
    • michaelfmcnamara
    • Michael McNamara
You can also hire @Flintstone for kids birthday parties...

Great write up!

If you continue to have issues I would suggest you take a step back and say just setup a simple FTP server in the DMZ (without any load-balancing). Once you have that working you can apply it to the load-balanced design and solution.

Good Luck!
We've been helping network engineers, system administrators and technology professionals since June 2009.
If you've found this site useful or helpful, please help me spread the word. Link to us in your blog or homepage - Thanks!

Offline habibalby

  • Full Member
  • ***
  • Posts: 51
It works perfectly now.

The problem was:

1.   In the Real Servers, when sFTP Server initially defined the vLAN ID and the Device Port was not set.
SFTP Server     4     192.168.xx.21     200000     00:00:5e:00:01:02     2     6 
2.   Therefore, the MAC address of the machine is not being fetched from the server, and it was given only 00.000.000.000.00
3.   After I set the port group and vlan under the IDS, the MAC address started to appear in the list.
4.   Under the Server Group I changed the sFTP Server group from TCP to ICMP, “it doesn’t make sense to me, but it started working “

The whole dilemma the MAC address not being fetched from the client, because all the Redirection rules depends on the Source MAC and Destination MAC Address.


Offline Flintstone

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 955
 Glad things are working now  :)