RE: [FW1] Routing before FW-1 Installation

[Thomas . Poole]

hmmm let me try to decipher. Everyone can go out on the 10.10.10.x network to the internet, no restrictions. You have setup a web server and want to provide inbound http access to it.   A few facts: * Hide mode NAT (I assume what you are using for outbound connectivity) does not allow for reverse connections (initiated by the outside) * You will have to use static NAT for access to your internal http host.   do the following: 1) Create a host (workstation) on the fw management server, make sure it is set as static NAT, with a valid external address 2) Use the host in a rule, to allow access to it- ie  ANY  WWW_SERVER   HTTP  ALLOW 2) Let the firewall proxy arp for this device, either via local.arp, or static route on downstrean router 3) Put a static route on your firewall, to let the firewall know which internal host to send the packet to- ie route add -p 200.200.200.200 10.10.10.10     Your last question is answered by the above statements, you **hopefully** will only be using three addresses of your external class C (254 possible addresses) - I am assuming the most basic setup!   1) Router/Gateway Nic IP address 2) Firewall External NIC IP address 3) IP Address for the Internal host (external)   Thomas -----Original Message----- From: Flavio Muscetra [mailto:[EMAIL PROTECTED]] Sent: Friday, June 16, 2000 8:59 AM To: [EMAIL PROTECTED] Subject: [FW1] Routing before FW-1 Installation I have a NT box with FW-1 installed.   Actually i have 3 ethernet adapters, but it seems to exist some problems. The third ethernet card was added after the FW-1 installation.   The actual FW-1 configuration allows PCs behind the FW on the the net 10.10.10.x to connect to the Internet without restrictions. When i tried to allow HTTP connections from Internet to one PC on the 10.10.10.x net it doesn't work. I used as public IP the ethernet public adapter IP. I think the problem is in the NT routing configuration and not in FW-1 configuration. I'm also lost as to why you have two different NICs on the same network. You may want to move one of them to a DMZ- ie-  192.168.x.x or 172.16.x.x    I try to describe the system:   ethernet1 (public interface 199.199.199.111) net 199.199.199.x (C-class) ethernet2 (private interface 10.10.10.1)  net 10.10.10.x (C-class) ethernet3 (private interface with the same ip of the public net) net 199.199.199.x (C-class)   Which is the correct NT-routing table between these ethernet adapters? Is it possible to use the same C-Class for the Internet and the third private ethernet adapter (not using the same IPs)?   Any help is welcome!