Punch in a sniffer and see what is happening on
that outside interface.
Ping the webserver's outside IP address from the
router console (assuming you have rule to allow icmp-echo/reply).
View the sniffer data and see if you get an ARP
reply (make sure to clear the arp cache on the router first...hehe)
No ARP reply from the firewall, NO SOUP FOR YOU!!
Do not collect $200, go directly to....
If you had local.arp configured properly as well as
a rule to allow http to your DMZ bastion host, then
you SHOULD see some "accept" log entries with
xlated destination/source addresses.
If not, then your ARP settings might not be
working. (in CCSE/2000 class they hammered into us that
this file and many others are sensitive to
extraneous formatting and control characters)
I would verify that ARP and static routes are
working first.
Make sure your route 0.0.0.0 is for the outside
interface as well.
I generally have a stealth rule that prevents any
access to my firewall's real IP's.
The only ports that will ever be open are the ones
necessary via implied rules (AAA, log, mgmt etc)
----- Original Message -----
Sent: Friday, September 22, 2000 4:16
PM
Subject: RE: [FW1] NAT and DMZ
routing
I've
already done all of this and it's still not working
properly.
I
can even ping my firewall's external interface from the web server, but I
can't get out to the internet on it.
Nor
can anything on the internet access my webserver.
You have to create an entry in local.arp for
the outside IP address of the webserver and the MAC of your outside
interface.
You then need to create a static route entry
for that IP to the IP of the firewall-1 interface on your DMZ
leg.
You then need to define a static NAT
translation rule to change IP of webserver to the DMZ/outside IP depending
on direction of traffic.
You can do the same for inside leg if you want
your bastion accessible from your localnets.
----- Original Message -----
Sent: Friday, September 22, 2000 2:52
PM
Subject: [FW1] NAT and DMZ
routing
Hi there,
I am having a problem with the DMZ setup that I am trying
to implement and I hope to borrow some of everyone's expertise to help me
solve this.
I have a FW-1 4.1 sp2 running on a Winnt 4.0 sp5 box. It
has 3 interfaces: External: Routable
Address Internal: 192.168.0.1 (255.255.255.0)
(Hide NAT to the external address of the firewall) DMZ: 172.16.0.1 (255.255.0.0)
I have a web server in the DMZ (172.16.0.5) and it's NATed
to a static routable address. I can hit the web
server from both the firewall itself and the internal network but I cannot
access it from the internet.
The ruleset is any any any accept and I don't see any
drops or rejects in the logs at all. I've turned on every scrap of logging
I could find. I've created an entry in the local.arp file (translated
address to external MAC of the firewall) and added a persistent static
route from the translated address to the internal address for the web
server.
Is there something that I'm totally missing?
All help is greatly appreciated!
Rob Michayluk Computing Network
Services ACD Systems Ltd. [email protected]
|