• Destination: 21 (the port the FTP server resides on)
• ALG: select ftp-inbound created above
3. Click OK
C. Define a rule to allow connections to the public IP on port 21 and forward that to the internal FTP server:
1. Go to: Rules > IP Rules > Add > IPRule
2. Now enter:
• Name: SAT-ftp-inbound
• Action: SAT
• Service: ftp-inbound-service
3. For Address Filter enter:
• Source Interface: any
• Destination Interface: core
• Source Network: all-nets
• Destination Network: wan_ip (assuming the external interface has been defined as this)
4. For SAT check Translate the Destination IP Address
5. Enter To: New IP Address: ftp-internal (assume this internal IP address for FTP server has been defined in
the address book object)
6. New Port: 21
7. Click OK
D. Traffic from the internal interface needs to be NATed through a single public IPv4 address:
1. Go to: Rules > IP Rules > Add > IPRule
2. Now enter:
• Name: NAT-ftp
• Action: NAT
• Service: ftp-inbound-service
3. For Address Filter enter:
• Source Interface: dmz
• Destination Interface: core
• Source Network: dmznet
• Destination Network: wan_ip
4. For NAT check Use Interface Address
5. Click OK
E. Allow incoming connections (SAT requires an associated Allow rule):
1. Go to: Rules > IP Rules > Add > IPRule
2. Now enter:
• Name: Allow-ftp
• Action: Allow
• Service: ftp-inbound-service
6.2.3. The FTP ALG Chapter 6. Security Mechanisms
276
To Next Page
Loading...
