|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Re: Web server in DMZ
That is the WRONG route you added. You should read up on how NT routes work (they are bit different than Unix in several instances) 1) Make sure that ROUTING is enabled in the NCPA. Regardless of what routes you add, it will make no difference unless you have this enabled. This is COMMONLY overlooked I have found. 2) You need a STATIC HOST ROUTE entry. These do not use GATEWAY or INTERFACE address, nor do they require a mask (although you can put it in there if you really want to). You use the External NAT'd address of the host and the real internal address of the host. For instance, if you wanted your host to be 200.200.200.200 on the Internet, and your hosts REAL assigned internal address is 10.10.10.10, then you would use this command to add the static route: route add -p 200.200.200.200 10.10.10.10 3) check your 0.0.0.0 routes. They can sometimes cause problems if all are same metric. That's it...other than ALL the rest everyone has been repeating to you over and over again adinfinitum for the last 3 days. If you still can't figure this out, I suggest you might not have the requisite skills to administer this firewall and you might want to consider some training prior to putting your company at risk. Chesapeake Network Solutions or MentorTech would be a good start. -----Original Message----- From: [email protected] [mailto:[email protected]]On Behalf Of Ivan More Sent: Friday, June 08, 2001 5:53 AM To: [email protected] Cc: [email protected] Subject: [FW1] Re: Web server in DMZ Hi Jeff, We have created the local.arp file and added the external web IP and the MAC of FW-1 external interface but still unsuccessful. In the log, it does show that it has accepted the http traffic to the web server (on W2K) but we still do not get the web page on our workstation (sitting on the same subnet as FW-1 - for testing). We were able to ping (from web server) the FW-1 DMZ's interface. We are also able to ping FW-1 external interface (Ver 4.0 on NT4) from the workstation (same subnet as fw-1). The FW-1 seems to be answering for the web server external IP but it does not seem to route the traffic to the web server. We have added a route to the NT4 Dest Gateway Interface Metric WEB_internal DMZ interface DMZ interface 1 We try to add a rule to allow traffic out from web server Source Destination Service Web (w NAT) Any HTTP Still no luck. If we removed the NAT (web server) and connect to the web server using its internal IP (DMZ subnet IP)), we are able to get the home page. Any suggestions? Cheers, Ivan --- [email protected] wrote: > Ivan, > > *We do not have a local.arp file in the > c:\winnt\fw\state directory, can we just create it > and > input the Web server External_ip and the Mac address > of the FW external_ip. * > > You must create a local.arp. Try creating this file > and you should be good to go. If not let me know. > Everything else looks fine. > > Jeff > > > On Thu, 07 June 2001, Ivan More wrote: > > > > > Hi, > > > > Thanks Jeff for the info, I am using FW-1 version > 4.0 > > on NT4. > > > > Yes, we have added the route to the Route Table as > > below > > > > route add -p internal_ip mask 255.255.255.255 > > DMZ_interface metric 1 > > > > We also added the arp but we created a bat file to > run > > during startup for the arp (we run this bat file > > before we do the test, will there be a problem) > > > > arp -s external_ip Mac address > FW1_external_ip > > > > We do not have a local.arp file in the > > c:\winnt\fw\state directory, can we just create it > and > > input the Web server External_ip and the Mac > address > > of the FW external_ip. > > > > How would I check if the FW-1 is answering the ARP > > request for the NATed address? > > > > We are still unsuccessful. What else did we > missed? > > > > > > Cheers, > > Ivan > > --- [email protected] wrote: > > > Ivan, > > > > > > I have set up several web servers in DMZ's. > What > > > type of firewall? Do you have a cluster? You > may > > > want to open the destination to any and check > log to > > > see if request coming in to a different IP. > > > > > > Let me know if I can help you get up and > running. > > > > > > Jeff > > > > > > > > > > > > -----Original Message----- > > > From: Ivan More [mailto:[email protected]] > > > Sent: Tuesday, June 05, 2001 3:00 AM > > > To: [email protected] > > > Cc: [email protected] > > > Subject: [FW1] Web server in DMZ > > > > > > > > > > > > Hi, > > > > > > We are trying to setup a web server in the DMZ > for > > > public access. But we are not successful. > > > > > > Internet > > > ******** > > > | > > > | > > > | > > > | > > > | > > > ----------- > > > | | > > > | | ----- DMZ > > > | FW |-----------| | web server > > > | | ----- internal IP > 10.1.1.100 > > > | | external IP > > > ------------ > > > | > > > | > > > ****** > > > Office > > > > > > > > > In our rule base we have > > > > > > source destination service > > > Any Web server http > > > NAT to > > > external IP > > > > > > We did not see any traffic connecting to this > web > > > server even when we try to connect to it (not > using > > > VPN). What did I missed out? > > > > > > > > > Any help will be appreciated. Thanks. > > > > > > > > > Cheers, > > > Ivan > > > > > > Jeff Lightsey V.P. > > > 4582-E Kingwood Dr. #103 > > > Kingwood, Texas 77345 > > >> > >> > > [email protected] > > > > > > > _______________________________________________________ > > Do You Yahoo!? > > Get your free @yahoo.ca address at > http://mail.yahoo.ca > > Jeff Lightsey V.P. > > 4582-E Kingwood Dr. #103 > > Kingwood, Texas 77345 > >> >> > [email protected] > > www.checkyoursix.com _______________________________________________________ Do You Yahoo!? Get your free @yahoo.ca address at http://mail.yahoo.ca ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
