-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Firstly, a timely warning - you should obfuscate 'real' IP addresses,
as this information should not be broadcast on a public mailing list
such as this - you never know who is watching.
I'm a bit confused - are your Web and DB servers multi-homed, and how
(multiple cards, or multiple IP's per card)? How many interfaces are
on your firewall?
If possible, I would use the following config:
[Internet]
|
[Firewall] ---- [DMZ Net (192.168.X.0)
|
[Internal Net (10.10.X.0)]
This way you will not need to set up specific routes. You *will* have
to set up rules to allow access though:
1. On your Web server object, add a static NAT rule to the public IP
address, you will also have to set up a proxy arp entry on the
firewall, so that the firewall answers ARP requests for the IP
address.
2. Add the following or similar rules:
<internal machine> <db server> <sql*net or similar> <allow> To allow
data uploads
<internal machine> <web Server> <ftp> <allow> To allow content
updates
<any> <web server> <http> <allow> To allow people to get to the
machine
Alternatively, you can leave the machines in the Internal Net, and
NAT between their internal net IP addresses and the external
addresses. I wouldn't recommend this option as a matter of course,
but it can be used if money / equipment is limited.
Have you checked your logs to see what is happening? Are your gateway
settings correct?
- -----Original Message-----
From: Rodrick Brown [mailto:[EMAIL PROTECTED]]
Sent: Thursday, 12 October 2000 1:43 p.m.
To: Little, Craig (SSI-GRPO52)
Cc: [EMAIL PROTECTED]
Subject: RE: [FW1] Nat Confusion
Sorry, but im still lost
here is my setup
[Internet]
|
[CheckPoint -Solairs FireWall Box]
| |
[WebServer 192.168.0.2] [DB Server 192.168.0.3]
|_____________________________|
10.X.1 10.X.2
This is my exact setup.
I have my security policy defined and working.
I just need to know how to setup checkpoint to say
he I know that host 206.65.184.34 its my web server let
me route it to 192.168.0.2 and same for my db machine.
your telling me I can accomplish this with static routes ??
my setup is exactly how its shown above.
- From what im reading do I need to do this
route add 206.65.184.34 192.168.0.2
arp -s 206.65.184.34 08:20:d0:e8:68
thats what I did but when trying to access
206.65.184.34 it just hangs then says cant connect.
I dont understand how checkpoint would know to respond to that
ip if its not binded locally to it on one of its interface please
show me the light =( as you can see im totally lost.
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBOeRU8oAS1Tpq5ZYvEQKPngCgxNGV6d+3O4wm4VHvRawQQusWnuEAoKWo
fcXGkGnZu+s80tfVIxdKU/cR
=PbuC
-----END PGP SIGNATURE-----
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
