Setting up DMZ

Posted on 2003-02-20
Medium Priority
Last Modified: 2010-04-11
ok, i'm in the process of building a dmz... have nokia ip330 setup with checkpoint ng, fp3... i need to find documents on how to build this? i've searched all through checkpoints knowledge base, not enough info..

- what i need is from the beginning, objects i need to make (putting exchange out there)
- rules i need to make
- also, have securemote users that need access to exchange server remotely
- need to ensure corporate lan will NOT have issues getting email from dmz

any help or direction to find this will be beyond GREATLY APPRECIATED....

Question by:foad
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 7988162
I hope you don't take this the wrong way but I really hope you're not doing this for a business because you're basically asking for an entire setup scenario, something you should already know how to do if you are in charge of this for a company.

Secondly...what kind of a DMZ are you looking for?  I would need more information...how are you wanting to lock things down?  What devices do you have in your network besides exchange?  A DMZ can mean different things...you can have a dirty DMZ, you have create a sandwhiched type DMZ where you have multiple firewalls...but you pointed out you only have a single checkpoint box...so what you're creating really isn't a true DMZ in the sense its mostly used.  DMZs are mostly used to segment parts of networks, moreso than just the classic, Internet -> LAN segment.  

So what you're wanting to know is simply how to setup your firewall to separate your LAN from the Internet??  Or do you have multiple boxes or other devices you can use to segment and route traffic??  More info is needed here.


Accepted Solution

Gruff66 earned 800 total points
ID: 8015909
Let's start from the beginning then.
You have an external interface on the firewall, eth-s3p1c0 (probably), and an internal interface (eth-s1p4c0 ?). On an IP330 this will leave you with a spare interface.

In Nokia Voyager, go into interfaces and configure the spare interface with an RFC1918 address that does not clash with any of your internal nets ( perhaps with a 24 bit mask ( In the Physical interface part of the interface configure the speed of the interface to match the switch / hub to which the inteface will connect 10/half or 100/full.

In the Interface section make sure that the interface is set to ACTIVE. When you plug it into the switch/hub you should see the link status as UP.

That's the hard bit done ;-). Next you need to decide what to put in the DMZ. I would not recommend putting a Mail server in there, but instead a content checking device such as MailSweeper.

Generally, you would configure any server in this network with a 172.16.0.x address and make it's default gateway 172.16.0.y where the y is the address of the firewall interface on this network. You would then need to configure the FW software to use NAT to translate traffic. You would designate an IP address from your ISP range to the server and allow certain traffic from the internat on a specific port to the ISP address assigned. You would then configure a NAT rule to redirect the traffic to this destination to the 172.16.0.x address.

You will nedd to add an ARP entry to the firewall to ensure the External interface of the firewall knows to accept the traffic, and a static route on the firewall to make sure it routes correctly. In NG FP3 these two parts can be done automatically by using Automatic NAT, although this can limit functionality, iot would probably suffice in this instance.

Gimme a shout if you need anything else


Author Comment

ID: 8016556
Thanks, that's exactly what i was looking for.... Works great...

Featured Post

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question