|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] Migration Headache
If you think it is a routing issue confirm the following registry
entry:
In location
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
Value for IpEnableRouter should be set to 1
(not zero)
Andy
At 08:35 AM 10/25/01, Firewall-1 (Joe Voisin) wrote:
How are
you handling your mail? Does your mail server have it's own
external IP address? (I have about 6 addresses I can use. I
assigned one just to the mail server)
Make sure that you ARP the IP
address onto the Ethernet adapter. In windows it's probably just adding
it in the network config. For me, on AIX, I had to use the ARP
command to add it. Because the firewall itself has to respond to
the IP address, it has to know that it is supposed to do so.
Access
Rules:
ANY
MAIL_EXT
SMTP ACCEPT
MAIL_INT
ANY
SMTP ACCEPT
NAT Rules:
INT_NET
INT_NET
ANY
ORIGINAL
ORIGINAL
ORIGINAL
!INT_NET
MAIL_EXT
SMTP
ORIGINAL
MAIL_INT
ORIGINAL
MAIL_INT
ANY
SMTP
ORIGINAL
MAIL_EXT
ORIGINAL
Oh yeah, something that bit me in
the butt. If you use your Firewall IP address as the address for
your mail server.. make sure that you put the SMTP accept rule above the
firewall stealth rule.... Ya know, the "ANY
FIREWALL DROP ALERT"
rule.
I don't know if any of this is even
your problem, but I like to at least try and help.
J
Joe
======================================================================
Joseph
Voisin, Systems and Network Administrator, Engel Canada Inc.
www.engelmachinery.com
| [email protected] |
======================================================================
-----Original Message-----
From: Hanke, Eric [mailto:[email protected]]
Sent: Wednesday, October 24, 2001 5:12 PM
To: [email protected]
Subject: [FW-1] Migration Headache
Hello list:
Tried a migration (fresh install) of FW-1 4.1 last night on a Windows 2000 SP 2 Compaq Proliant 1600. Thought the install went well until my users were not able to receive any e-mail, sending e-mail was ok.
Here is a quick Config rundown:
Checkpoint FW-1 4.1 SP5 on Enforcement Module (Windows 2000 SVR SP2)
Checkpoint FW-1 on the GUI Client and Management Module (Windows 2000 SVR SP2)
This was a fresh install. I opted to manage my routes manually; I already had a text printout of the routes from my NT 4.0 Firewall-1 (4.0)
Basically the first few rules look as such
Firewall -----> Management Accept
Management -----> Firewall Accept
ANY -----> SMTP_SVR(NAT'ed) Accept
SMTP_SVR(NAT'ed) -----> Outside_world Accept
I also had the necessary DNS rules installed so the Mail server could do a DNS lookup. The strange thing is that on the Log you could see the Firewall pass the request from the public IP of the SMTP server to the NAT'ed address but the SMTP server never received the e-mail.
I think this is a routing problem; I am new to routing with Windows 2000. Any ideas or a thought on what to look at next is greatly appreciated.
Eric
Eric M Hanke
Senior Network Engineer
Tempel Steel Company
Magnetic Steel Laminations for the Electronic and Electrical Industries
Phone
Andy Druda
Network & Communications Manager
Wagner College
Staten Island, New York 10301
|
|