[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Nat Confusion
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Firstly, a timely warning - you should obfuscate 'real' IP addresses, as this information should not be broadcast on a public mailing list such as this - you never know who is watching. I'm a bit confused - are your Web and DB servers multi-homed, and how (multiple cards, or multiple IP's per card)? How many interfaces are on your firewall? If possible, I would use the following config: [Internet] | [Firewall] ---- [DMZ Net (192.168.X.0) | [Internal Net (10.10.X.0)] This way you will not need to set up specific routes. You *will* have to set up rules to allow access though: 1. On your Web server object, add a static NAT rule to the public IP address, you will also have to set up a proxy arp entry on the firewall, so that the firewall answers ARP requests for the IP address. 2. Add the following or similar rules: <internal machine> <db server> <sql*net or similar> <allow> To allow data uploads <internal machine> <web Server> <ftp> <allow> To allow content updates <any> <web server> <http> <allow> To allow people to get to the machine Alternatively, you can leave the machines in the Internal Net, and NAT between their internal net IP addresses and the external addresses. I wouldn't recommend this option as a matter of course, but it can be used if money / equipment is limited. Have you checked your logs to see what is happening? Are your gateway settings correct? - -----Original Message----- From: Rodrick Brown [mailto:[email protected]] Sent: Thursday, 12 October 2000 1:43 p.m. To: Little, Craig (SSI-GRPO52) Cc: [email protected] Subject: RE: [FW1] Nat Confusion Sorry, but im still lost here is my setup [Internet] | [CheckPoint -Solairs FireWall Box] | | [WebServer 192.168.0.2] [DB Server 192.168.0.3] |_____________________________| 10.X.1 10.X.2 This is my exact setup. I have my security policy defined and working. I just need to know how to setup checkpoint to say he I know that host 206.65.184.34 its my web server let me route it to 192.168.0.2 and same for my db machine. your telling me I can accomplish this with static routes ?? my setup is exactly how its shown above. - From what im reading do I need to do this route add 206.65.184.34 192.168.0.2 arp -s 206.65.184.34 08:20:d0:e8:68 thats what I did but when trying to access 206.65.184.34 it just hangs then says cant connect. I dont understand how checkpoint would know to respond to that ip if its not binded locally to it on one of its interface please show me the light =( as you can see im totally lost. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com> iQA/AwUBOeRU8oAS1Tpq5ZYvEQKPngCgxNGV6d+3O4wm4VHvRawQQusWnuEAoKWo fcXGkGnZu+s80tfVIxdKU/cR =PbuC -----END PGP SIGNATURE----- ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|