?
Solved

Checkpoint firewall or Routing Problem?

Posted on 2004-10-15
6
Medium Priority
?
443 Views
Last Modified: 2010-04-10
I have a Checkpoint firewall running on top of a SUN server.  What I'm trying to do seems as though it should be really easy but I'm fairly new to both UNIX and Checkpoint so I can't see my mistake.  Here are the details:

1) I have a web server on my DMZ network.

2) I created two network objects: one for external address of web server (I called it Webserver-X) and one object that is the internal address with a static mapping mapping to one of our outside addresses (I called the object Webserver).

3) I've installed a rule in Checkpoint that says:
  SOURCE     DESTINATION     SERVICE
  Any             Webserver-X       tcp http

4) Next I add the route and bind to our outside address (I've changed the IP and HW addresses shown here to some random address).  

route add 64.238.114.23 10.10.1.26
arp -s 64.238.114.23  09:00:20:ce:be:91 pub

Internally the page works fine.  When I try to connect from outside our network, I get error page cannot be displayed.   However when I view the firewall log, I can see that my connection to Webserver-X was "accepted": the Source was some external address that I was testing from and the Destination was Webserver-X.

So I can't see why the page is not displayed.  It's like the Firewall software is okay with the connection but I've done something wrong on the underlying UNIX part... can anyone point me in the right direction???
0
Comment
Question by:Space2004
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
6 Comments
 
LVL 15

Expert Comment

by:Frabble
ID: 12325242
I take it since you're having to configure a host route and add a proxy arp entry you're not using automatic ARP. In which case you should also have a NAT rule that has the public address as destination and the internal address, as static, for the translated destination.
0
 

Author Comment

by:Space2004
ID: 12339948
To clarify, do you mean that I need to do this at the OS level?  I have a network object in Checkpoint 4.1 that represents the internal address of the webserver and on the NAT tab, I have a static translation to the public address.

But at the OS level the only things I have done are to add the route from Outside address to the servers internal address with this static arp...
0
 
LVL 15

Expert Comment

by:Frabble
ID: 12390965
You appear to have done the correct OS configurations.

What is also required is a NAT rule in the firewall configuration for incoming connections, which maps the public address to the internal address. The static translation you have to the public address will apply only to outgoing connections.

By enabling the translated source and destination columns, the logs should show what translation is occuring.
0
 

Author Comment

by:Space2004
ID: 12476414
I had a NAT rule with static mapping configured in Checkpoint:

2) I created two network objects: one for external address of web server (I called it Webserver-X) and one object that is the internal address with a static mapping mapping to one of our outside addresses (I called the object Webserver).

But I've since worked around the problem by using a different outside address.  It seems like the problem is that I can't use external addresses that have been used before for something. Perhaps the old information is in held in some other file that checkpoint might use to check the state of the connection.  

In any rate thanks very much to anyone who took the time to look through this issue and consider a response to me.
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 12761848
PAQed with points refunded (500)

modulo
Community Support Moderator
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question