I think I have the proper rules in place to allow traffic out and inbound,
but I cannot get past the firewall from the Server and I cannot get inbound
to the server. Maybe it is a route that I am missing or a rule. Not sure I
want to post my complete route to the public though.... :) Is there
specific routes that I will have to manually configure with win 2000 to make
it route to my valid IP within my DMZ? And are there different rules then
normal that need to be placed to do the same on the checkpoint side.
I did create a NAT rule for the DMZ and of course I got out then, but I
could only go out and not in. But I cannot use any kind of NAT to resolve
this issue with VoIP.
Maybe an example of how I kind of have it setup would be helpful in having
someone else tell me if I did something wrong in the initial setup. Here is
what it looks like:
Lets say my valid IP subnet given to me by my ISP was 10.50.125.82/28 and I
broke that up into two /29 subnets the First is 10.50.125.82/29 and the
second is 10.50.125.90/29.
External NIC IP = 10.50.125.82
Subnet = 255.255.255.248
Default GW = 10.50.125.81
Internal NIC = 192.168.X.X
Subnet = 255.255.255.0
Default GW =
DMZ NIC = 10.50.125.90
Subnet = 255.255.255.248
Default GW =
DMZ Server NIC = 10.50.125.91
Subnet = 255.255.255.0
Default GW = 10.50.125.90
So for the DMZ route is just setup with the default ones as I was unsure if
there were special ones I would have to create. Or if there needs to be
some kind of special ARP setting to show where the DMZ subnet is pointing.
Trent
-----Original Message-----
From: Hal Dorsman [mailto:[EMAIL PROTECTED]
Sent: Monday, January 26, 2004 5:19 PM
To: [EMAIL PROTECTED]
Subject: Re: [FW-1] Setting up DMZ with Win 2000 Server
>
> I took it from one /28 subnet to two /29 subnet. It is not
> much to work
> with, but it is at least something. The router in front of
> the firewall is
> managed by the ISP, but to my knowledge all IP's of the /28
> subnet they have
> for us should be pointing at our Firewall.
That should be an easy one to confirm by allowing ICMP and enable
logging and traceroute to your firewall from and external network
such as an ISP dialup account. You logs should tell you what is
going out and what is coming in. Post your route table and perhaps
someone can spot what you are not doing correctly. Are you sure
your netmasks are correct? Be sure you have the necessary traffic
enabled in your rulebase.
Hal
> Yes, the server in the DMZ is pointing at the firewall for
> default gateway
> and they can communicate with no problems, but nothing will
> connect to the
> server in the DMZ and the server cannot get out to the
> internet. As for
> windump I will look into that also.
>
> I of course am new to DMZ's, but any help to guide me in the
> right direction
> is greatly appreciated. Only reason I split this because
> someone told me I
> would have to split up my subnet to accomplish what I need to
> do. If there
> is a way to not split it then I would be more then willing to
> look at that
> method also. Is there possibly a website out there with some good
> documentation of setting up DMZ's on Win 2K with CheckPoint?
>
> Trent
>
> -----Original Message-----
> From: Christian ALT [mailto:[EMAIL PROTECTED]
> Sent: Monday, January 26, 2004 12:38 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [FW-1] Setting up DMZ with Win 2000 Server
>
> You can do it this way. I cannot correct you configuration if
> you are not
> more specific. Although it is difficult how you subnetted 13 IPs.
>
> Did you think of configuring the router in front of the
> firewall, routing
> the second subnet to the firewall?
>
> Does the server in DMZ have the firewall as default gateway?
>
> To trouble shoot your issue some network trafic analysis
> could be usefull,
> did you think of installing windump?
>
> Bye for now
>
> Christian ALT
>
> Telecom and Logistics Associates
> Network and Security Company
>
> Firewall-1 FAQ http://www.tla.ch/TLA/FW/FW1FAQ.html
>
>
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:[EMAIL PROTECTED] Behalf Of Trent
> Libby
> Sent: lundi, 26. janvier 2004 17:37
> To: [EMAIL PROTECTED]
> Subject: [FW-1] Setting up DMZ with Win 2000 Server
>
>
> I have been tinkering with my Checkpoint firewall trying to
> get a DMZ setup
> with Valid IP's. I have a total of 13 Valid IPs and I need
> to have one of
> my server's setup in the DMZ with a valid IP. In trying to
> do this I split
> my Valid IPs into two subnets and assigned the 3rd NIC on the
> Checkpoint
> Server to the first valid in the second subnet I created and
> then assigned
> the server in the DMZ with the next IP in that subnet, but it
> is not working
> and I must be missing something with the route setup in Win 2000 or
> something.
>
>
>
> First of all is this the best way to do this for Valid IPs on
> Checkpoint and
> secondly what am I missing to possibly get this working.
>
>
>
> Thanks,
>
>
>
> Trent
>
>
>
>
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
