[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Re: Web server in DMZ
Hi, the route should be "NAT-IP via FW to Web-DMZ-or-FW-DMZ-Interface 1", so the packets with the NAT-IP will be routed to the DMZ-Interface of the FW. And, if you have enabled Anti-Spoofing you should regard the outgoing Anti-Spoofing at the DMZ-Interface. What I mean, try to accept the translated IP at the DMZ-Interface of the FW. But first, turn logging for Anti-Spoofing on - for troubleshooting reasons. Hope it helps, best regards Matthias Ivan More wrote: > Hi Jeff, > > We have created the local.arp file and added the > external web IP and the MAC of FW-1 external interface > but still unsuccessful. > > In the log, it does show that it has accepted the http > traffic to the web server (on W2K) but we still do not > get the web page on our workstation (sitting on the > same subnet as FW-1 - for testing). > > We were able to ping (from web server) the FW-1 DMZ's > interface. We are also able to ping FW-1 external > interface (Ver 4.0 on NT4) from the workstation (same > subnet as fw-1). > > The FW-1 seems to be answering for the web server > external IP but it does not seem to route the traffic > to the web server. > > We have added a route to the NT4 > > Dest Gateway Interface Metric > WEB_internal DMZ interface DMZ interface 1 > > We try to add a rule to allow traffic out from web > server > > Source Destination Service > Web (w NAT) Any HTTP > > Still no luck. > > If we removed the NAT (web server) and connect to the > web server using its internal IP (DMZ subnet IP)), we > are able to get the home page. > > Any suggestions? > > Cheers, > Ivan > > --- [email protected] wrote: > > Ivan, > > > > *We do not have a local.arp file in the > > c:\winnt\fw\state directory, can we just create it > > and > > input the Web server External_ip and the Mac address > > of the FW external_ip. * > > > > You must create a local.arp. Try creating this file > > and you should be good to go. If not let me know. > > Everything else looks fine. > > > > Jeff > > > > > > On Thu, 07 June 2001, Ivan More wrote: > > > > > > > > Hi, > > > > > > Thanks Jeff for the info, I am using FW-1 version > > 4.0 > > > on NT4. > > > > > > Yes, we have added the route to the Route Table as > > > below > > > > > > route add -p internal_ip mask 255.255.255.255 > > > DMZ_interface metric 1 > > > > > > We also added the arp but we created a bat file to > > run > > > during startup for the arp (we run this bat file > > > before we do the test, will there be a problem) > > > > > > arp -s external_ip Mac address > > FW1_external_ip > > > > > > We do not have a local.arp file in the > > > c:\winnt\fw\state directory, can we just create it > > and > > > input the Web server External_ip and the Mac > > address > > > of the FW external_ip. > > > > > > How would I check if the FW-1 is answering the ARP > > > request for the NATed address? > > > > > > We are still unsuccessful. What else did we > > missed? > > > > > > > > > Cheers, > > > Ivan > > > --- [email protected] wrote: > > > > Ivan, > > > > > > > > I have set up several web servers in DMZ's. > > What > > > > type of firewall? Do you have a cluster? You > > may > > > > want to open the destination to any and check > > log to > > > > see if request coming in to a different IP. > > > > > > > > Let me know if I can help you get up and > > running. > > > > > > > > Jeff > > > > > > > > > > > > > > > > -----Original Message----- > > > > From: Ivan More [mailto:[email protected]] > > > > Sent: Tuesday, June 05, 2001 3:00 AM > > > > To: [email protected] > > > > Cc: [email protected] > > > > Subject: [FW1] Web server in DMZ > > > > > > > > > > > > > > > > Hi, > > > > > > > > We are trying to setup a web server in the DMZ > > for > > > > public access. But we are not successful. > > > > > > > > Internet > > > > ******** > > > > | > > > > | > > > > | > > > > | > > > > | > > > > ----------- > > > > | | > > > > | | ----- DMZ > > > > | FW |-----------| | web server > > > > | | ----- internal IP > > 10.1.1.100 > > > > | | external IP > > > > ------------ > > > > | > > > > | > > > > ****** > > > > Office > > > > > > > > > > > > In our rule base we have > > > > > > > > source destination service > > > > Any Web server http > > > > NAT to > > > > external IP > > > > > > > > We did not see any traffic connecting to this > > web > > > > server even when we try to connect to it (not > > using > > > > VPN). What did I missed out? > > > > > > > > > > > > Any help will be appreciated. Thanks. > > > > > > > > > > > > Cheers, > > > > Ivan > > > > > > > > Jeff Lightsey V.P. > > > > 4582-E Kingwood Dr. #103 > > > > Kingwood, Texas 77345 > > > >> > > >> > > > [email protected] > > > > > > > > > > > > _______________________________________________________ > > > Do You Yahoo!? > > > Get your free @yahoo.ca address at > > http://mail.yahoo.ca > > > > Jeff Lightsey V.P. > > > > 4582-E Kingwood Dr. #103 > > > > Kingwood, Texas 77345 > > > >> > > >> > > > [email protected] > > > > www.checkyoursix.com > > _______________________________________________________ > Do You Yahoo!? > Get your free @yahoo.ca address at http://mail.yahoo.ca > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ begin:vcard n:Leu;Dr. Matthias tel;cell:tel;fax:+49 8102 895 199 tel;work:+49 8102 895 190 x-mozilla-html:FALSE url:http://www.aerasec.de org:AERAsec Network Services and Security GmbH adr:;;Wagenberger Strasse 1;D-85662;Hohenbrunn;; version:2.1 email;internet:[email protected] fn:Dr. Matthias Leu end:vcard
|