[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Web server in DMZ
Ivan, The format of your static route should be as follows: route add -p <external valid IP address> mask 255.255.255.255 <internal non-routable IP address> The intent is as follows: Anything that is trying to get to that valid address should be forced directly to the internal IP address of the server in question (or the router that will get it there if a router is between the firewall and the destination server). Under NT 4, I also strongly recommend sticking to Check Point's recommended local.arp format to ensure the firewall is always ARPing for the external addresses in question: <external IP address><TAB><MAC address of firewall NIC answering for that address> Hope this helps. Daniel R. Mengel, MCSE, CCSE Lead Technologist - Data Security Info Systems, Inc. - www.infosysinc.com Balt/Wash - Central PA - Dover - Phila - Wilmington -----Original Message----- From: Ivan More [mailto:[email protected]] Sent: Thursday, June 07, 2001 6:12 AM To: James Clarke; [email protected] Subject: RE: [FW1] Web server in DMZ Hi, Thanks for the many response, we are using FW-1 version 4.0 on NT4. Yes, we have added the route to the Route Table as below route add -p internal_ip mask 255.255.255.255 DMZ_interface metric 1 We also added the arp but we created a bat file to run during startup for the arp (we run this bat file before we do the test, will there be a problem) arp -s external_ip Mac address FW1_external_ip We do not have a local.arp file in the c:\winnt\fw\state directory, can we just create it and input the Web server External_ip and the Mac address of the FW external_ip. We are using Stat NAT. How would I check if the FW-1 is answering the ARP request for the NATed address? We are still unsuccessful. What else did we missed? Cheers, Ivan --- James Clarke <[email protected]> wrote: > Have you set up the static route and the local.arp > file to reflect the > internal static NAT? Also what platform are you on? > > James. > > -----Original Message----- > From: Ivan More [mailto:[email protected]] > Sent: 05 June 2001 11:00 > To: [email protected] > Cc: [email protected] > Subject: [FW1] Web server in DMZ > > > > Hi, > > We are trying to setup a web server in the DMZ for > public access. But we are not successful. > > Internet > ******** > | > | > | > | > | > ----------- > | | > | | ----- DMZ > | FW |-----------| | web server > | | ----- internal IP 10.1.1.100 > | | external IP > ------------ > | > | > ****** > Office > > > In our rule base we have > > source destination service > Any Web server http > NAT to > external IP > > We did not see any traffic connecting to this web > server even when we try to connect to it (not using > VPN). What did I missed out? > > > Any help will be appreciated. Thanks. > > > Cheers, > Ivan > > _______________________________________________________ > Do You Yahoo!? > Get your free @yahoo.ca address at > http://mail.yahoo.ca > > > ============================================================================ > ==== > To unsubscribe from this mailing list, please > see the instructions at > > http://www.checkpoint.com/services/mailing.html > ============================================================================ > ==== _______________________________________________________ Do You Yahoo!? Get your free @yahoo.ca address at http://mail.yahoo.ca ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|