NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Migration Headache



If you think it is a routing issue confirm the following registry entry:


In location

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters

Value for  IpEnableRouter   should be set to 1   (not zero)


Andy














At 08:35 AM 10/25/01, Firewall-1 (Joe Voisin) wrote:

How are you handling your mail?  Does your mail server have it's own external IP address?  (I have about 6 addresses I can use.  I assigned one just to the mail server)

 

Make sure that you ARP the IP address onto the Ethernet adapter. In windows it's probably just adding it in the network config.  For me, on AIX, I had to use the ARP command to add it.  Because the firewall itself has to respond to the IP address, it has to know that it is supposed to do so.

 

 

Access Rules:

ANY           MAIL_EXT      SMTP          ACCEPT

MAIL_INT      ANY           SMTP          ACCEPT

 

NAT Rules:

INT_NET       INT_NET       ANY           ORIGINAL             ORIGINAL             ORIGINAL

!INT_NET      MAIL_EXT      SMTP          ORIGINAL             MAIL_INT             ORIGINAL

MAIL_INT      ANY           SMTP          ORIGINAL             MAIL_EXT             ORIGINAL

 

 

 

 

Oh yeah, something that bit me in the butt.  If you use your Firewall IP address as the address for your mail server.. make sure that you put the SMTP accept rule above the firewall stealth rule.... Ya know, the  "ANY    FIREWALL    DROP    ALERT"  rule.

 

I don't know if any of this is even your problem, but I like to at least try and help.  J

 

Joe

 

======================================================================

Joseph Voisin, Systems and Network Administrator, Engel Canada Inc.

www.engelmachinery.com | [email protected]

======================================================================

 

-----Original Message-----
From: Hanke, Eric [mailto:[email protected]]
Sent: Wednesday, October 24, 2001 5:12 PM
To: [email protected]
Subject: [FW-1] Migration Headache

 

Hello list:

 

Tried a migration (fresh install) of FW-1 4.1 last night on a Windows 2000 SP 2 Compaq Proliant 1600.  Thought the install went well until my users were not able to receive any e-mail, sending e-mail was ok.

 

Here is a quick Config rundown:

 

Checkpoint FW-1 4.1 SP5 on Enforcement Module (Windows 2000 SVR SP2)

 

Checkpoint FW-1 on the GUI Client and Management Module (Windows 2000 SVR SP2)

 

This was a fresh install.  I opted to manage my routes manually; I already had a text printout of the routes from my NT 4.0 Firewall-1 (4.0)

 

Basically the first few rules look as such

 

Firewall                         ----->     Management     Accept

Management                 ----->     Firewall             Accept

ANY                             ----->     SMTP_SVR(NAT'ed)      Accept

SMTP_SVR(NAT'ed)      ----->     Outside_world    Accept

 

I also had the necessary DNS rules installed so the Mail server could do a DNS lookup.  The strange thing is that on the Log you could see the Firewall pass the request from the public IP of the SMTP server to the NAT'ed address but the SMTP server never received the e-mail. 

 

I think this is a routing problem; I am new to routing with Windows 2000.  Any ideas or a thought on what to look at next is greatly appreciated.

 

Eric

 

 

Eric M Hanke

Senior Network Engineer

Tempel Steel Company

Magnetic Steel Laminations for the Electronic and Electrical Industries

Phone

 




Andy Druda
Network & Communications Manager
Wagner College
Staten Island, New York 10301


 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.