NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Web server in DMZ



Hi,

I still don't see my previous mail (since Monday,
today is Friday) to the mailing list therefore I am
sending it again. (This is a good mailing list except
that it is slow)

This is to thank all of you for your helpful advises,
we have got the web server working now.

The problem was we thought by having a route for our
web server internal IP to the DMZ interface is enough.
But I guess we would wrong.

Therefore, by adding a route for our web server
external IP to the Internal IP solved the problem.

Thanks again.


Cheers,
Ivan



--- Dan Mengel <[email protected]> wrote:
> 
> Ivan,
> 
> The format of your static route should be as
> follows:
> 
> route add -p <external valid IP address> mask
> 255.255.255.255 <internal
> non-routable IP address>
> 
> The intent is as follows:  Anything that is trying
> to get to that valid
> address should be forced directly to the internal IP
> address of the server
> in question (or the router that will get it there if
> a router is between the
> firewall and the destination server).  Under NT 4, I
> also strongly recommend
> sticking to Check Point's recommended local.arp
> format to ensure the
> firewall is always ARPing for the external addresses
> in question:
> 
> <external IP address><TAB><MAC address of firewall
> NIC answering for that
> address>
> 
> Hope this helps.
> 
> Daniel R. Mengel, MCSE, CCSE
> Lead Technologist - Data Security
> Info Systems, Inc. - www.infosysinc.com
> Balt/Wash - Central PA - Dover - Phila - Wilmington
> 
> 
> 
> -----Original Message-----
> From: Ivan More [mailto:[email protected]]
> Sent: Thursday, June 07, 2001 6:12 AM
> To: James Clarke;
> [email protected]
> Subject: RE: [FW1] Web server in DMZ
> 
> 
> 
> Hi,
> 
> Thanks for the many response, we are using FW-1
> version 4.0 on NT4. 
> 
> Yes, we have added the route to the Route Table as
> below
> 
> route add -p internal_ip mask 255.255.255.255
> DMZ_interface metric 1
> 
> We also added the arp but we created a bat file to
> run
> during startup for the arp (we run this bat file
> before we do the test, will there be a problem)
> 
> arp -s   external_ip   Mac address  FW1_external_ip
> 
> We do not have a local.arp file in the
> c:\winnt\fw\state directory, can we just create it
> and
> input the Web server External_ip and the Mac address
> of the FW external_ip.
> 
> We are using Stat NAT.
> 
> How would I check if the FW-1 is answering the ARP
> request for the NATed address?
> 
> We are still unsuccessful. What else did we missed?
> 
> 
> Cheers,
> Ivan
> 
> --- James Clarke <[email protected]> wrote:
> > Have you set up the static route and the local.arp
> > file to reflect the
> > internal static NAT?  Also what platform are you
> on?
> > 
> > James.
> > 
> > -----Original Message-----
> > From: Ivan More [mailto:[email protected]]
> > Sent: 05 June 2001 11:00
> > To: [email protected]
> > Cc: [email protected]
> > Subject: [FW1] Web server in DMZ
> > 
> > 
> > 
> > Hi,
> > 
> > We are trying to setup a web server in the DMZ for
> > public access. But we are not successful. 
> > 
> >   Internet
> >   ******** 
> >      |
> >      |
> >      |
> >      |
> >      |
> > -----------
> > |          |
> > |          |           ----- DMZ
> > |   FW     |-----------|   | web server 
> > |          |           ----- internal IP
> 10.1.1.100
> > |          |                 external IP 
> > ------------
> >      |
> >      |
> >   ******
> >   Office
> > 
> > 
> > In our rule base we have
> > 
> > source    destination    service 
> > Any       Web server     http
> >           NAT to 
> >           external IP
> > 
> > We did not see any traffic connecting to this web
> > server even when we try to connect to it (not
> using
> > VPN). What did I missed out?
> > 
> > 
> > Any help will be appreciated. Thanks.
> > 
> > 
> > Cheers,
> > Ivan
> > 
> >
>
_______________________________________________________
> > Do You Yahoo!?
> > Get your free @yahoo.ca address at
> > http://mail.yahoo.ca
> > 
> > 
> >
>
============================================================================
> > ====
> >      To unsubscribe from this mailing list, please
> > see the instructions at
> >               
> > http://www.checkpoint.com/services/mailing.html
> >
>
============================================================================
> > ====
> 
> 
>
_______________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.ca address at
> http://mail.yahoo.ca
> 
> 
>
============================================================================
> ====
>      To unsubscribe from this mailing list, please
> see the instructions at
>               
> http://www.checkpoint.com/services/mailing.html
>
============================================================================
> ====
> 
> 
>
================================================================================
>      To unsubscribe from this mailing list, please
> see the instructions at
>               
> http://www.checkpoint.com/services/mailing.html
>
================================================================================
> 


_______________________________________________________
Do You Yahoo!?
Get your free @yahoo.ca address at http://mail.yahoo.ca


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.