Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Nat Confusion

To: "'Rodrick Brown'" <[email protected]>
Subject: RE: [FW1] Nat Confusion
From: "Little, Craig (SSI-GRPO52)" <[email protected]>
Date: Thu, 12 Oct 2000 13:00:51 +1300
Cc: [email protected]
Sender: [email protected]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Firstly, a timely warning - you should obfuscate 'real' IP addresses,
as this information should not be broadcast on a public mailing list
such as this - you never know who is watching.

I'm a bit confused - are your Web and DB servers multi-homed, and how
(multiple cards, or multiple IP's per card)? How many interfaces are
on your firewall?

If possible, I would use the following config:

[Internet]
    |
[Firewall] ---- [DMZ Net (192.168.X.0)
    |
[Internal Net (10.10.X.0)]


This way you will not need to set up specific routes. You *will* have
to set up rules to allow access though:

1. On your Web server object, add a static NAT rule to the public IP
address, you will also have to set up a proxy arp entry on the
firewall, so that the firewall answers ARP requests for the IP
address.
2. Add the following or similar rules:
<internal machine> <db server> <sql*net or similar> <allow> To allow
data uploads
<internal machine> <web Server> <ftp> <allow> To allow content
updates
<any> <web server> <http> <allow> To allow people to get to the
machine

Alternatively, you can leave the machines in the Internal Net, and
NAT between their internal net IP addresses and the external
addresses. I wouldn't recommend this option as a matter of course,
but it can be used if money / equipment is limited.

Have you checked your logs to see what is happening? Are your gateway
settings correct?

- -----Original Message-----
From: Rodrick Brown [mailto:[email protected]]
Sent: Thursday, 12 October 2000 1:43 p.m.
To: Little, Craig (SSI-GRPO52)
Cc: [email protected]
Subject: RE: [FW1] Nat Confusion 



Sorry, but im still lost 

here is my setup

	[Internet]
	   |
[CheckPoint -Solairs FireWall Box]
 |			 	|
[WebServer 192.168.0.2]   [DB Server 192.168.0.3]
 	|_____________________________|
     10.X.1			    10.X.2

This is my exact setup. 

I have my security policy defined and working.

I just need to know how to setup checkpoint to say 
he I know that host 206.65.184.34 its my web server let
me route it to 192.168.0.2 and same for my db machine.

your telling me I can accomplish this with static routes ??

my setup is exactly how its shown above. 

- From what im reading do I need to do this 

route add 206.65.184.34 192.168.0.2 
arp -s 206.65.184.34 08:20:d0:e8:68 

thats what I did but when trying to access
206.65.184.34 it just hangs then says cant connect.

I dont understand how checkpoint would know to respond to that 
ip if its not binded locally to it on one of its interface please
show me the light =( as you can see im totally lost.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOeRU8oAS1Tpq5ZYvEQKPngCgxNGV6d+3O4wm4VHvRawQQusWnuEAoKWo
fcXGkGnZu+s80tfVIxdKU/cR
=PbuC
-----END PGP SIGNATURE-----


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Follow-Ups:
- [FW1] More Nat Confusion
  - From: Rodrick Brown <[email protected]>

Prev by Date: RE: [FW1] Nat Confusion
Next by Date: RE: [FW1] SMTP
Previous by thread: Re: [FW1] Nat Confusion
Next by thread: [FW1] More Nat Confusion
Index(es):
- Date
- Thread