Problem with port forwarding behind DMZ

Posted on 2003-03-20
Medium Priority
Last Modified: 2010-04-11

I have a Firewall 1, 3 NIC's on it, 1 for my LAN, 1 for my DMZ and 1 to the switch wich is connected to my router.

In my LAN, only users, no servers that must be public, working perfectly.

In my DMZ, server 1 ==> webserver working perfectly, NAT from 192.168.10.* to public IP
           server 2 ==> 2 ftp servers and 1 HTTPS server NAT from 192.168.10.* to public IP

                        ftp server trough IIS 4.0 on port 21 accessible without problem from the internet

                        ftp server trough WSftp server on port 10021 ... arriving on public IP but once arrived in 192.168.10.* ... lost somewhere,
From outside, he connects but when a login and password prompted, he do not recognize the login-password even if he's correct, because it works fine from the server himself (inside)??
When I check the logs, I see that the port is changed during the NAT it becomes 1121, 1122 in place of 10021 ??

                        HTTPS server not working either, nor from inside or outside, if I try from outside to connect to the public IP with the SSL, so if I do HTTP://<public IP> an error message sais Forbidden with SSL, so a connection to the server is made...
and if I do HTTPS://<public IP> error 404 etc... ??

Where is the problem knowing that the configuration works well for server1 and is the same for server2 ?

Thanks for help.

Question by:Taishaku
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 3
  • +2

Author Comment

ID: 8173553
HTTPS server not working either, nor from inside or outside, if I try from outside to connect to the public IP WITHOUT the SSL...

Author Comment

ID: 8173559
so if I do HTTP://<public IP> an error message sais Forbidden WIHOUT SSL, so a connection to the server is made...
LVL 79

Expert Comment

ID: 8175349

What kind of firewall? What firewall software are you running?
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.


Author Comment

ID: 8176972
Firewall1 v.4.1 from CheckPoint, running on NT4 server


Accepted Solution

_musashi_ earned 400 total points
ID: 8202665
The ftp problem is because of the nature of the ftp protocol:

1. Ftp client contacts ftp-host on port 21
2. Ftp hosts sends a data transfer port, which can be any free port, to the client.
3. The client contacts the server on the port given in #2
4. The server answers and the ftp-session can start.

The reason for not sending both the data and the control stream on port 21 is to make sure that control traffic doesn't drown in the data traffic.

Your firewall is very intelligent and when it sees that an ftp session is started (= a session on port 21) it automatically opens up the correct port so that the ftp data transfer can take place.

When you place the ftp daemon on 10021 the firewall has is not able to understand that you are using ftp. I would check the manual and see if there is any possibility to configure other ports as ftp-ports.

HTTPS uses port 636 instead of port 80. If you try to connect using HTTP the web server will probably say something like "You must use HTTPS to contact me". When you use HTTPS the firewall should block because you have not opened the correct port. In this case it seems like the port is open, but you try to contact a page that is not available. Check you web site configuration.

Author Comment

ID: 8202762
Concerning the FTP port :

When I try to connect to ftp port 10021, I can connect but the authentification do not succeed... ??

Concerning the HTTPS port :

It's 443 :-) and I suppose that my web configuration works fine because if I set a public IP on that server, it works fine ??

Weird isn't it ?

Expert Comment

ID: 8209524
Regarding ftp:

This behaviour is actually what you should expect from your configuration. I found a page that does a much better job at explaining things than I do (http://www.isaserver.org/articles/How_the_FTP_protocol_Challenges_Firewall_Security.html).

If you look at the third figure (you are using pasv mode) the first thing your client does is connecting. This goes well. The next thing is sending the pasv request. As the client never recieves a positive answer, because the answer is blocked by your firewall, you will never get the chance to do the authentication.

Regarding http:

Sorry for the mindslip. You are of course correct on the port number. I don't think I really has understod all aspects of this problem. Please correct if I am misunderstanding something.

If you place the https server outside of the firewall it works (can be accessed through https://www.mysite.com)?

If you place the https server on the dmz and try to access it (through https://www.mysite.com) you get a 404?

Author Comment

ID: 8210188
Regarding FTP :

I'm reading the article :-)

Regarding HTTPS :

That's correct... still wondering why...

Expert Comment

ID: 8217939
For ftp you need to change the CheckPoint INSPECT code so it realizes that ftp is running on a different port.

Modify the  macros "ftp_accept_port", "ftp_accept_port_enc", and "ftp_accept_port_clear" in $FWDIR/lib/base.def on the management console so that they will watch for FTP PORT commands on the different port from that specific server.

For more, see http://www.phoneboy.com/fom/fom.pl?_highlightWords=ftp%20port&file=126

Expert Comment

ID: 8217959
Oh, and for the HTTPS issue; Is the web server set only to accept requests to a certain IP (e.g. the private address, that the client is not aware of).

Author Comment

ID: 8231546
Regarding FTP, I will test it on monday,

For the HTTPS there is no IP limitation, as I said, when my webserver has a public IP, let's say there's no connection problem, nor from outside/inside my LAN, it occurs only behind my DMZ...

Assisted Solution

jlindq earned 400 total points
ID: 8236752
For https: I suggest you set up a sniffer on the DMZ/web server to see what traffic actually gets there.

Also, my comment about restricted IP is still valid, I think. When you are running on a public IP, the client requests "". ÍT then uses as the server to connect to, but also sends a Host header to the server containing "". THis is fine, since the server has this address.

However, if you NAT the server so it is now really on but NATed to the same public IP, the client connects to what it thinks is, which the FW translates to So far the connection works. But then the Host header still tries to get a page from, and the server know it's not it's IP address.

THis all depends on the setup of the server, of course.

I suggest you activate HTTP on the server and see if it works. If not, sniff the traffic to determine what's sent and received. If http works and https doesn't, then it's a server setting (unless you have some content filtering in the FW).

Oh, do you use the security servers for web traffic in the CP FW?

Expert Comment

ID: 8236972
jlindq is probably correct. if the host part of the HTTP-header doesn't match the hostname that the server thinks it has the http server will ignore the request.

I suggest using ethereal to sniff at the traffic and confirm jlindq's theory. Ethereal is open source and can be found on http://www.ethereal.com.

Expert Comment

ID: 8249544
Without knowing your Domain config I will take a stab at the possibility that you are running win 2000 AD combo and there is an authentication problem not a NAT problem.

If the FTP server is outside the domain or is just a member server and you are logging in with a domain account the login from the outside must be in the format username = yourdomain.com\username with the yourdomain.com\ before the username. This account, domain or local must have log on locally rights as well or no access will be granted.

Author Comment

ID: 8284048
Hello, sorry for the late answer but I had a lot of work...

I've configured the base.def file and added the statements... I can connect trough the new ftp port but I can connect only if I allow the high tcp ports from my ftp server otherwise it's dropped by my Firewall...

So incoming from internet on new ftp port OK
NAT to my ftp server OK
Outgoing from ftp server dropped, the source port is well the new ftp port I want but the logs say that for outgoing packet it's using service 1533 and then 1600 etc...

Do I have another choice ?

For the HTTPS I guess you're all right, how can I do then to avoid this problem, i'm using IIS 4.0


Expert Comment

ID: 12490937
Most of the issues are solved. Split?

Featured Post

What Is Blockchain Technology?

Blockchain is a technology that underpins the success of Bitcoin and other digital currencies, but it has uses far beyond finance. Learn how blockchain works and why it is proving disruptive to other areas of IT.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question