Solved

Checkpoint Firewall Access-lists

Posted on 2001-09-07
5
297 Views
Last Modified: 2013-11-16
I have FW1 running on my network.  I have set up a static ip mapping from a public to private address and vice-versa for my mail server.  When I set up my access list rules, do I specify

source   Dest                    Service   Action
any      mailserver -public ip   SMTP,POP3 Permit

OR

any      mailserver -private ip  SMTP, POP3 Permit

OR both?

Any advice would be great
0
Comment
Question by:chiggins22
  • 3
  • 2
5 Comments
 
LVL 4

Expert Comment

by:jwalsh88
ID: 6465599
remember this, all translations happen last.  So, in the rule base(security policy) if you have public addresses that need access to the server then use it's public address in the rule base.  If your private addressed hosts that need to talk with the mail server don't go through the firewall to get to the mail server(it's on the same internal network) then the first rule is all you need.  If the mail server is protected by the firewall (on an additional dmz port off the firewall) then you need another rule.  I would suggest this if needed:

internal-nets  mailserver-priv  SMTP,POP3   Permit

0
 

Author Comment

by:chiggins22
ID: 6465628
I am more concerned with the external hosts, who need to send mail to the mailserver.  Should the access-list allow connections from any to the public address, or the private?

My internal hosts do not go through the firewall to get to the mailserver.
0
 
LVL 4

Accepted Solution

by:
jwalsh88 earned 50 total points
ID: 6465640
the rule should look like this to allow public access to your mail server

any  mailsvr-pub  SMTP,POP3  Permit


Also make sure you have your static NAT mappings working correctly.
0
 

Author Comment

by:chiggins22
ID: 6465673
I will give it a shot -thanks
0
 

Author Comment

by:chiggins22
ID: 6480591
Please see my other question regarding Checkpoint
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ASA 5512 LAN Config 16 78
Internet Protocol Security question 3 94
Network Security Solution 7 58
Change administrator password on server 13 92
Knowing where your website is hosted is as important as the features you receive, the monthly fee, and the support you receive. Due diligence should be done when choosing your next hosting provider.
There's a lot of hype surrounding blockchain technology. Here's how it works and some of the novel ways it' s now being used - including for data protection.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question