Changing Source Address when using FTP Security Server

[dgrattan]

I have Checkpoint NG AI R55p running on a Nokia IP 380 (IPSO 4.0). I have three active interfaces.

eth1c0: connects to ISP router, uses 192.168.100.10 address
eth2c0: connects to internal router, uses 172.18.100.xx address
eth3c0: connects to "DMZ", uses registered 24 bit address range

I just added rules to allow internal users to authenticate at the firewall and FTP out to any public FTP server.

radius_users@int_network -> NOT int_network -> FTP -> User Auth

The authentication piece works great but connection to external server fails. Tracker logs show outbound FTP being permitted from an internal 172.18.100.xx source address destined to a public FTP server. Trace between firewall and ISP router (off eth1c0) shows the source address is the IP of eth1c0 and the destination IP address is the public FTP server. Connection fails because public FTP server can't respond to RFC1918 source address.

I added a manual NAT rule to translate the source address of all FTP traffic from any internal source address destined to any address to the eth3c0 address.

int_network -> *Any -> FTP : eth3c0_ip -> =Original -> =Original

Had no effect. My source address is still the address IP of eth1c0. I tried changing the NAT rule to translate the source address of all FTP traffic sourcing from the address of eth1c0 destined to any address to the eth3c0 address.

eth1c0_ip -> *Any -> FTP : eth3c0_ip -> =Original -> =Original

Also had no impact.

Can I force outbound traffic from the FTP Security server to use a different source address or interface?

[Lackie]

Quote:

Originally Posted by dgrattan

eth1c0: connects to ISP router, uses 192.168.100.10 address
eth2c0: connects to internal router, uses 172.18.100.xx address
eth3c0: connects to "DMZ", uses registered 24 bit address range

Call me confused but from your description it appears that you have the 192.168.100.10 address on your External network? Is that correct?