Hello,

I'd like to forward one of the ports normally used by a standard server (in my case port 21 FTP) for a server that's not FTP. I need this because one of the sites I visit has a very restrictive out-going firewall, but does allow out-going connections to port 21.

If I "Allow" the FTP server on the Servers tab, and point it to the right host, connections are intercepted by the Z100G because he notices that they aren't valid FTP traffic.

If I clear the "Allow" checkbox and create a rule a "Allow and Forward" rule for port 21, it doesn't work because none of the traffic is allowed through due to "Policy Rule".

So in a nutshell, how do I get non-FTP traffic forwarded to one of my hosts?

Two options -
1) Create a new rule:
Allow and Forward
Custom Service (TCP Port 21)
Source = ANy (or specified)
Destination = This Gateway
Rule Options -
Forward this connection to Specified IP
Check Redirect to Port xxx
where xxx is the port. sounds like you got the server listening on port 21. Maybe change it to listen on port xxx. When you go out of the source looking for port 21 the z100 should nat it to xxx.

I can't really test it. But the PORT NAT may be able to work. You could also play with smart defense to not be so restrictive on port 21/ftp but not sure that would work either.

Thanks, you gave me just the clue I needed. I had destination set to ANY, switching it to This Gateway as you suggested (without the redirect) got everything working.

Of course, I would think that "ANY" would include "This Gateway", so I don't understand why that change made it work, but I'm happy that it did.

I know on REAL checkpoint software, trying to write a rule like:

"any any NAT-TO any specific" would fail and give an error message before you could save it.

but

"any Specific1 NAT-TO and specific2" would work ok.