[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Web server in DMZ
Hi, I still don't see my previous mail (since Monday, today is Friday) to the mailing list therefore I am sending it again. (This is a good mailing list except that it is slow) This is to thank all of you for your helpful advises, we have got the web server working now. The problem was we thought by having a route for our web server internal IP to the DMZ interface is enough. But I guess we would wrong. Therefore, by adding a route for our web server external IP to the Internal IP solved the problem. Thanks again. Cheers, Ivan --- Dan Mengel <[email protected]> wrote: > > Ivan, > > The format of your static route should be as > follows: > > route add -p <external valid IP address> mask > 255.255.255.255 <internal > non-routable IP address> > > The intent is as follows: Anything that is trying > to get to that valid > address should be forced directly to the internal IP > address of the server > in question (or the router that will get it there if > a router is between the > firewall and the destination server). Under NT 4, I > also strongly recommend > sticking to Check Point's recommended local.arp > format to ensure the > firewall is always ARPing for the external addresses > in question: > > <external IP address><TAB><MAC address of firewall > NIC answering for that > address> > > Hope this helps. > > Daniel R. Mengel, MCSE, CCSE > Lead Technologist - Data Security > Info Systems, Inc. - www.infosysinc.com > Balt/Wash - Central PA - Dover - Phila - Wilmington > > > > -----Original Message----- > From: Ivan More [mailto:[email protected]] > Sent: Thursday, June 07, 2001 6:12 AM > To: James Clarke; > [email protected] > Subject: RE: [FW1] Web server in DMZ > > > > Hi, > > Thanks for the many response, we are using FW-1 > version 4.0 on NT4. > > Yes, we have added the route to the Route Table as > below > > route add -p internal_ip mask 255.255.255.255 > DMZ_interface metric 1 > > We also added the arp but we created a bat file to > run > during startup for the arp (we run this bat file > before we do the test, will there be a problem) > > arp -s external_ip Mac address FW1_external_ip > > We do not have a local.arp file in the > c:\winnt\fw\state directory, can we just create it > and > input the Web server External_ip and the Mac address > of the FW external_ip. > > We are using Stat NAT. > > How would I check if the FW-1 is answering the ARP > request for the NATed address? > > We are still unsuccessful. What else did we missed? > > > Cheers, > Ivan > > --- James Clarke <[email protected]> wrote: > > Have you set up the static route and the local.arp > > file to reflect the > > internal static NAT? Also what platform are you > on? > > > > James. > > > > -----Original Message----- > > From: Ivan More [mailto:[email protected]] > > Sent: 05 June 2001 11:00 > > To: [email protected] > > Cc: [email protected] > > Subject: [FW1] Web server in DMZ > > > > > > > > Hi, > > > > We are trying to setup a web server in the DMZ for > > public access. But we are not successful. > > > > Internet > > ******** > > | > > | > > | > > | > > | > > ----------- > > | | > > | | ----- DMZ > > | FW |-----------| | web server > > | | ----- internal IP > 10.1.1.100 > > | | external IP > > ------------ > > | > > | > > ****** > > Office > > > > > > In our rule base we have > > > > source destination service > > Any Web server http > > NAT to > > external IP > > > > We did not see any traffic connecting to this web > > server even when we try to connect to it (not > using > > VPN). What did I missed out? > > > > > > Any help will be appreciated. Thanks. > > > > > > Cheers, > > Ivan > > > > > _______________________________________________________ > > Do You Yahoo!? > > Get your free @yahoo.ca address at > > http://mail.yahoo.ca > > > > > > > ============================================================================ > > ==== > > To unsubscribe from this mailing list, please > > see the instructions at > > > > http://www.checkpoint.com/services/mailing.html > > > ============================================================================ > > ==== > > > _______________________________________________________ > Do You Yahoo!? > Get your free @yahoo.ca address at > http://mail.yahoo.ca > > > ============================================================================ > ==== > To unsubscribe from this mailing list, please > see the instructions at > > http://www.checkpoint.com/services/mailing.html > ============================================================================ > ==== > > > ================================================================================ > To unsubscribe from this mailing list, please > see the instructions at > > http://www.checkpoint.com/services/mailing.html > ================================================================================ > _______________________________________________________ Do You Yahoo!? Get your free @yahoo.ca address at http://mail.yahoo.ca ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|