[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] Allowing incoming traffic to internal Server
Title: Allowing incoming traffic to internal Server I am having difficulties is setting up a DMZ and allowing access to a internal server using an NT based FW1 4.1 SP3.
I have attached the vpn router Ethernet port to a port on the firewall. We have agreed on a DMZ ip scheme. He has set the vpn router and I have set the firewall interface with their respective ips (i.e. vpn = 1.1.1.2, fw = 1.1.1.3). We can ping each others interfaces. I have in FW1 setup on object reflecting the actual servers ip, nated to a ip on the same subnet as the DMZ (i.e private ip of server = 5.1.1.1, nat = 1.1.1.4). The firewall's internal address and the internal address of the destination server are on separate subnets connected thru a private frame-relay wan. I have added a line in the local.arp file with the nat'd server ip = 1.1.1.4 matching the mac address of the FW DMZ interface. I have created a static route that routes traffic from the nat'd ip to the internal interface of the FW1.
In the logs I filter on the server object, and it does show a icmp packet is being allowed. It shows a it is coming from a public ip of 208.1.1.50, destination of 1.1.1.4, but it does not show anything under the translated columns of the log. Should I not see a translated address here?
If anyone can help me on this I would appreciate it. I may be missing something. I have setups similar to this on other firewalls that seem to work just fine, but they are more outbound (i.e. internal to secure external destination), vs outbound coming inbound across separate segments. Thanks in advance. Feel free to contact me either @ this address or @ [email protected] David Maas
|