Thanks for everyone's help... really appreciate it. It's up and running
now.
My mistake... I had created an object for the real IP... and then
statically NAT'd it to the fake LAN IP. When I reversed this and
removed my manually entered route ("route add -p x.x.x.228
172.16.2.77)... and installed the policy, it worked fine.
Thanks again.
wayne_clemit AT lineone DOT net wrote:
Hi Darren,
Have you added an ARP entry for the "External" IP address on your firewal=
l
(or are you using automatic ARP or a Local.ARP file?)also have you create=
d
a static NAT rule to translate / hide your internal server behind?
Probably best to create an object using the internal IP address
of your server then adding a static NAT IP address in the
object properties.
Hope this helps..
Wayne.
-- Original Message --
Date: Mon, 26 Jul 2004 22:21:07 -0700
Reply-To: Mailing list for discussion of Firewall-1
<FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
From: Darren Grant <darren.grant AT DISCOVERYSOFTWARE DOT COM>
Subject: [FW-1] Routing
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
If anyone could let me know what we did wrong, I'd appreciate it.
We have a Windows 2000 Server(SP4) with checkpoint firewall-NG(FP3)
running a DMZ (about a dozen real IP's) and an internal NAT'd LAN
(172.16.x.x).
We have a web server in our internal LAN (172.16.2.77). We want to open
up outside access to that box, without moving it into the DMZ.
What we did...
On the firewall server we created an object using a real IP address
(x.x.x.228) from our DMZ range. Next we created a rule allowing
incoming HTTP and ICMP traffic to that object. We installed the
policy. Then we openned a command prompt and created a route using:
route add -p x.x.x.228 172.16.2.77
Using the log tracker, we can see the incoming packets (ping and http)
destined for the real IP (x.x.x.228) get to the firewall (they're
green)... but that's it... nothing seems to get routed on to the
internal web server... or get back.
Is there something really stupid we didn't do? Any help would be
greatly appreciated.
Thanks,
Darren
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
