Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] Allowing incoming traffic to internal Server

To: [email protected]
Subject: [FW-1] Allowing incoming traffic to internal Server
From: David Maas <[email protected]>
Date: Thu, 13 Dec 2001 18:28:00 -0500
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Title: Allowing incoming traffic to internal Server

I am having difficulties is setting up a DMZ and allowing access to a internal server using an NT based FW1 4.1 SP3.
What we have is a client needing access to an internal server thru a secure VPN tunnel from the internet. The client has a border router and vpn router install on our site with a internet circuit.

I have attached the vpn router Ethernet port to a port on the firewall. We have agreed on a DMZ ip scheme. He has set the vpn router and I have set the firewall interface with their respective ips (i.e. vpn = 1.1.1.2, fw = 1.1.1.3). We can ping each others interfaces.

I have in FW1 setup on object reflecting the actual servers ip, nated to a ip on the same subnet as the DMZ (i.e private ip of server = 5.1.1.1, nat = 1.1.1.4). The firewall's internal address and the internal address of the destination server are on separate subnets connected thru a private frame-relay wan.

I have added a line in the local.arp file with the nat'd server ip = 1.1.1.4 matching the mac address of the FW DMZ interface.

I have created a static route that routes traffic from the nat'd ip to the internal interface of the FW1.
I have added a rule to allow any destination any (for now) into FW1.
I have rebooted the firewall. But his is unable to sucessfuly ping the nat'ed server ip of 1.1.1.4, thus not able to access the server.

In the logs I filter on the server object, and it does show a icmp packet is being allowed. It shows a it is coming from a public ip of 208.1.1.50, destination of 1.1.1.4, but it does not show anything under the translated columns of the log.

Should I not see a translated address here?
The engineer on the other side thinks that I need to add static routes on the FW1, and all my internal routers to have his public ip (208.1.1.50) to allow traffic back out to the FW1 and the DMZ interface. I am not sure that this is necessary, or would even work. Which I did try anyway.

If anyone can help me on this I would appreciate it. I may be missing something. I have setups similar to this on other firewalls that seem to work just fine, but they are more outbound (i.e. internal to secure external destination), vs outbound coming inbound across separate segments.

Thanks in advance. Feel free to contact me either @ this address or @ [email protected]

David Maas
iSKY, Inc.
Manager of Information Systems
Sr. Systems/Security/Network Engineer

Follow-Ups:
- Re: [FW-1] Allowing incoming traffic to internal Server
  - From: Juan Concepcion <[email protected]>

Prev by Date: [FW-1] Policy Install segfault / bus error -- core dumped
Next by Date: Re: [FW-1] Pix vs FW1
Previous by thread: [FW-1] Policy Install segfault / bus error -- core dumped
Next by thread: Re: [FW-1] Allowing incoming traffic to internal Server
Index(es):
- Date
- Thread