You haven't mentioned anything about creating a NAT for this object. If the
packets get to your server looking for the REAL destination address, your
server is going to drop them with the assumption they are for someone else.
Whether you leave the routing statement in or not depends on whether you
perform your NATs client side or server side. With client side, the NAT
will happen, and then regular routing will occur, sending the packet to the
NAT'd destination. If you are using server side NAT the route will be
required. Otherwise the packet will be sent toward your DMZ and then NAT'd.
Mike Feetham
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Darren
Grant
Sent: Tuesday, July 27, 2004 1:21 AM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] Routing
If anyone could let me know what we did wrong, I'd appreciate it.
We have a Windows 2000 Server(SP4) with checkpoint firewall-NG(FP3)
running a DMZ (about a dozen real IP's) and an internal NAT'd LAN
(172.16.x.x).
We have a web server in our internal LAN (172.16.2.77). We want to open
up outside access to that box, without moving it into the DMZ.
What we did...
On the firewall server we created an object using a real IP address
(x.x.x.228) from our DMZ range. Next we created a rule allowing
incoming HTTP and ICMP traffic to that object. We installed the
policy. Then we openned a command prompt and created a route using:
route add -p x.x.x.228 172.16.2.77
Using the log tracker, we can see the incoming packets (ping and http)
destined for the real IP (x.x.x.228) get to the firewall (they're
green)... but that's it... nothing seems to get routed on to the
internal web server... or get back.
Is there something really stupid we didn't do? Any help would be
greatly appreciated.
Thanks,
Darren
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
