I have added a line in the local.arp file with the
nat'd server ip = 1.1.1.4 matching the mac address of the FW DMZ
interface. This get's mapped to the external of the firewall
not the dmz interface, regardless of what interface the server sit's off
of the firewall will always answer/send out requests from it's external
interface.
I have created a static route that routes traffic from
the nat'd ip to the internal interface of the FW1.
Static
route is wrong, it should be (depending on os) route add -p 1.1.1.4 5.1.1.1,
provided that the next hop is the server and not a router/switch otherwise
it becomes the next hop.
I have added a rule to allow any destination any (for now)
into FW1.
Your rule should read anyone trying to get to
1.1.1.4
You are missing an address translation rule:
Original
Translated
Source Destination
Service
Source Destination
Service
any nattedip
any
=original =private_ip(s)
=original
private_ip any
any =natted_ip(s)
=original =original
----- Original Message -----
Sent: Thursday, December 13, 2001 6:28
PM
Subject: [FW-1] Allowing incoming traffic
to internal Server
I am having difficulties is setting up a DMZ and
allowing access to a internal server using an NT based FW1 4.1 SP3.
What we have is a client needing access to an
internal server thru a secure VPN tunnel from the internet. The client has a
border router and vpn router install on our site with a internet
circuit.
I have attached the vpn router Ethernet port to a
port on the firewall. We have agreed on a DMZ ip scheme. He has set the vpn
router and I have set the firewall interface with their respective ips (i.e.
vpn = 1.1.1.2, fw = 1.1.1.3). We can ping each others interfaces.
I have in FW1 setup on object reflecting the actual
servers ip, nated to a ip on the same subnet as the DMZ (i.e private ip of
server = 5.1.1.1, nat = 1.1.1.4). The firewall's internal address and the
internal address of the destination server are on separate subnets connected
thru a private frame-relay wan.
I have added a line in the local.arp file with the
nat'd server ip = 1.1.1.4 matching the mac address of the FW DMZ interface.
I have created a static route that routes traffic
from the nat'd ip to the internal interface of the FW1.
I have added a rule to allow any destination any (for now)
into FW1.
I have rebooted the firewall. But
his is unable to sucessfuly ping the nat'ed server ip of 1.1.1.4, thus not
able to access the server.
In the logs I filter on the server object, and it
does show a icmp packet is being allowed. It shows a it is coming from a
public ip of 208.1.1.50, destination of 1.1.1.4, but it does not show anything
under the translated columns of the log.
Should I not see a translated address here?
The engineer on the other side thinks that I need
to add static routes on the FW1, and all my internal routers to have his
public ip (208.1.1.50) to allow traffic back out to the FW1 and the DMZ
interface. I am not sure that this is necessary, or would even work. Which I
did try anyway.
If anyone can help me on this I would appreciate
it. I may be missing something. I have setups similar to this on other
firewalls that seem to work just fine, but they are more outbound (i.e.
internal to secure external destination), vs outbound coming inbound across
separate segments.
Thanks in advance. Feel free to contact me either @
this address or @ [email protected]
David
Maas
iSKY, Inc.
Manager of Information Systems
Sr. Systems/Security/Network Engineer