My system:
Check Point VPN1 FP 3 r55
I have an FTP server in my DMZ, which I need to reach from public Internet, and connect via FTP over TLS, listening port 2121 and data port 2120.
So I natted its private IP address with a static Nat, and then did the following:
RULE 01: SOURCE: Ftp Server
DESTINATION: Ftp CLient
SERVICES:
1. >1024, source port 2120
2. port 2121 (FTP-BIDIR)
RULE 02: SOURCE: Ftp CLient
DESTINATION: Ftp Server
SERVICES:
1. port 2121
2. port 2121 (FTP-BIDIR)
In this way, I could connect from my client (with its public IP address) via FTP over TLS, though not having disabled FTP BOUNCE ATTACK in Smart Defense Consolle.
But I realized that I had to set my FTP client to work in Active Mode, because in classic Passive mode I could not connect.
In this second case, in facts, when I tried to connect, connection seemed to proceed to be established but then:
1. ftp client sends command 'PASV'; ftp server answers 'entering passive mode';
2. ftp client sends command 'LIST'; connection hangs for some seconds;
3. after timeout has exceeded, connection is rejected;
Now, I can't understand why this happens. I am quite sure it is an issue related to Check Point configuration. In facts, if I try to
connect from a client located on the same lan of ftp server (say, in DMZ), connection is established in active or passive mode.
But more strange is that when my public ftp client is set in passive mode and can't succesfully connect to the server, I have no logs on Check Point of
dropped packets. Anyone has some suggestions ?