Support for FTP in a REDIRECT rule for Passive connection to an internal server,
Handling passive connections for an internal FTP server is only handled through a REDIRECT
operation; a BIDIRECTIONNAL MAP operation won't work for this purpose.
So you have an Internal FTP server. You want to allow access from the Internet.
You must be aware of:
- plugin ftp must be in auto-attach,
- ftp support must be activated in the NAT rule (we discuss this part after)
- In the object, the ftp service must use the FTP plugin, explicitly.
- In the policy firewall filters you must to have an explicit allow for the ftp service,
- You doesn't have to allow ftp-data
So you have an extra public IP, used for the ftp service. Naturally you created a BIMAP nat rules.
these work fine only is your ftp server run in active mode !
If your ftp server run in Passive mode, you need to create an extra nat rule, a REDIR one ! unless you do so, your FTP PASSIVE SERVER won't be available from the Internet.
Let me resume:
FTP option { MAP / BIMAP } : support CLIENT ACTIVE FTP
FTP option { REDIR }: support SERVER PASSIVE FTP
Definition of different NAT used in NETASQ:
MAP that is used for mapping one address or network to another in an
unregulated round robin fashion;
REDIR that is used for redirecting packets to one IP address and port
pair to another;
BIMAP for setting up bidirectional NAT between an external IP address
and an internal IP address and
No comments:
Post a Comment