Thanks Carl,
I've done the arp commands, I'm AIX so I don't think that local.arp applies.
The packet is being routed correctly though. I'm able to get to the
webserver with the rule 'Any Webserver http accept'.
The dropping rule is the last rule 'any any any drop'.
> You need to have rules for the packet entering the firewall, and also for
it
> leaving the FW and entering the DMZ.
Your statement above caused me to consider a solution. The object for the
webserver is natted, so I couldn't use that to allow access to the dmz after
translation, so I defined another object with the same address without nat
and added the following rule:
'(not)InternalNetwork WebserverNoNat http accept log'
Since the WebserverNoNat is a private address, it's not accessible to the
Internet.
It seems to work with Secure Client running. If I kill the Secure Client, I
can't get to the webserver.
Is this how everyone else does it? Anyone see any problems with doing this?
-----Original Message-----
From: Carl E. Mankinen [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 16, 2000 1:50 PM
To: Tucker, Greg
Subject: Re: [FW1] HTTP and Secure Client
Did you setup the firewall's local.arp entry for the server in the DMZ?
Keep in mind that the rules in the rule base are applied usually EITHERBOUND
in 4.1
This means the rule base is applied as a packet enters the firewall and as
it is about to leave.
You need to have rules for the packet entering the firewall, and also for it
leaving the FW
and entering the DMZ.
Which rule is causing the drop in your logfile?
Try turning on logging of implicit rules if it's a rule zero error.
----- Original Message -----
From: Tucker, Greg <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, August 16, 2000 1:37 PM
Subject: RE: [FW1] HTTP and Secure Client
>
> Let me start over with this:
>
> I am trying to get Secure Client working.
> I've set up a webserver on a DMZ that is statically natted to a real
address
> on the Internet.
>
> I have two rules:
> SecureClientUsers@Any Firewall FW1_pslogon ClientEncrypt Long
> SecureClientUsers@Any WebServer http ClientEncrypt Long
>
> When I try to browse the webserver from an address on the internet,
> Authentication occurs and I get the following in the log:
> decrypt http Internetaddress Webserver(Real address)
> drop http Internetaddress Webserver(Private address)
> decrypt FW1_pslogon Internetaddress Firewall(ExternalInterface)
> drop http Internetaddress Webserver(Private address)
> drop http Internetaddress Webserver(Private address)
> drop http Internetaddress Webserver(Private address)
>
> What am I missing?
>
>
> Configuration details:
> I'm running the fw and manager on the same box at 4.1 Build 41716 [VPN +
> DE].
> The Policy Server is defined to be this box.
> The Secure Client is running on an NT 4.0 box with build 4157.
> Gui is Version 4.1 Build 41710.
>
> Properties:
> 'Respond to Unauthenticated Topology Requests' is checked.
> 'Desktop Does Not Invalidate' is checked.
> 'Allow All'
> All of the boxes under 'Desktop Configuration Verification Options' are
> checked.
>
> The firewall object has FWZ checked with Key Manager and DH Key generated
> and Encapsulation checked. Exportable for Secure Remote is checked.
> The encryption domain is defined as two networks that include the real
> addresses and the private addresses of static natted addresses.
>
>
>
>
============================================================================
====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>
============================================================================
====
>
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
