[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] NAT and DMZ routing
You need to determine how far along the route the packets get. Does the firewall see the packets? Ie, you will see log entries. If they are green, then you have a routing/translation issue, if they are red, you have a rulebase issue. If there are no log entries, then the firewall simply isn't seeing the packets. To check that arp is working, you need to go to a device on the External network, other than the firewall, and ping the external address of the webserver. You won't get a response, but check the arp cache of the device to see if the arp was correctly resolved. If it was, then you will see entries in the log for the pings. This means if a packet made it to this part of the network, it would hit the firewall. You then need to focus your attention on your internet router. Have the ACLs been changed to accept inbound connections to the webserver? If it didn't resolve, then check the local.arp file. Paul Murphy -----Original Message----- From: Rob Michayluk [mailto:[email protected]] Sent: 22 September 2000 19:53 To: [email protected] Subject: [FW1] NAT and DMZ routing Hi there, I am having a problem with the DMZ setup that I am trying to implement and I hope to borrow some of everyone's expertise to help me solve this. I have a FW-1 4.1 sp2 running on a Winnt 4.0 sp5 box. It has 3 interfaces: External: Routable Address Internal: 192.168.0.1 (255.255.255.0) (Hide NAT to the external address of the firewall) DMZ: 172.16.0.1 (255.255.0.0) I have a web server in the DMZ (172.16.0.5) and it's NATed to a static routable address. I can hit the web server from both the firewall itself and the internal network but I cannot access it from the internet. The ruleset is any any any accept and I don't see any drops or rejects in the logs at all. I've turned on every scrap of logging I could find. I've created an entry in the local.arp file (translated address to external MAC of the firewall) and added a persistent static route from the translated address to the internal address for the web server. Is there something that I'm totally missing? All help is greatly appreciated! Rob Michayluk Computing Network Services ACD Systems Ltd. [email protected] ----------------------------------------------------------------------------------------------------------------------- This e-mail is intended only for the above addressee. It may contain privileged information. If you are not the addressee you must not copy, distribute, disclose or use any of the information in it. If you have received it in error please delete it and immediately notify the sender. evolvebank.com is a division of Lloyds TSB Bank plc. Lloyds TSB Bank plc, 71 Lombard Street, London EC3P 3BS. Registered in England, number 2065. Telephone No: 020 7626 1500 Lloyds TSB Scotland plc, Henry Duncan House, 120 George Street, Edinburgh EH2 4LH. Registered in Scotland, number 95237. Telephone No:Lloyds TSB Bank plc and Lloyds TSB Scotland plc are regulated by the Personal Investment Authority and represent only the Scottish Widows and Lloyds TSB Marketing Group for life assurance, pensions and investment business. Members of the UK Banking Ombudsman Scheme and signatories to the UK Banking Code. ----------------------------------------------------------------------------------------------------------------------- ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|