?
Solved

Firewall: Internal and External Interfaces (How to configure?)

Posted on 2007-07-22
14
Medium Priority
?
561 Views
Last Modified: 2010-04-09
Hi Experts,

I'm setting up my firewall and am having trouble with it.  I think it is because I do not understand how to set up the internal (trusted) and external (untrusted) interfaces, specifically how to let the internal interface talk to the external interface.

Can anyone give me EXAMPLES of the values to input for the internal and external interfaces?
http://www.ftmsglobal.com/temp_stuff/sg/firewall_problems/interface_untrusted.jpg
http://www.ftmsglobal.com/temp_stuff/sg/firewall_problems/interface_trusted.jpg

What I have so far is that the IP Address of my internal interface is 192.168.42.7.  And so all the PCs in my office have the default gateway set to 192.168.42.7, and I can ping the internal interface just fine.  Problem is how to let my PCs communicate with the external interface?


0
Comment
Question by:jugheadyong
  • 5
  • 5
  • 3
  • +1
14 Comments
 
LVL 8

Expert Comment

by:charan_jeetsingh
ID: 19542101
Please put  your firewall manufacturer and model
0
 
LVL 8

Expert Comment

by:charan_jeetsingh
ID: 19542132
sorry.. just saw ur links... seems like you have a netscreen. by default netscreen wont allow anything to pass through.

you have to put rules explicitly to define what type of traffic you want to allow in each direction. also you will require to add a default route.

i hope this helps
0
 

Author Comment

by:jugheadyong
ID: 19543193
I do not understand anything about routes.  How do I add a default route?
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 

Author Comment

by:jugheadyong
ID: 19543197
Wait, lemme put up a screenshot of my NetScreen routing table, if that will help.
0
 
LVL 1

Expert Comment

by:DVDude_1
ID: 19545178
I think he/she means that you have to add entries to your access list.. ie spcifically define what type of traffic can enter your network.  http/s, ftp/s, etc..

common ports:
21 ftp
23 telnet
80 web
443 ssl
25 smtp

etc.
0
 
LVL 8

Expert Comment

by:charan_jeetsingh
ID: 19545827
no DV, i was actually speaking of routing table only. and yes he needs to open the ports also for traffic to flow as i hav mentioned in earlier post
0
 
LVL 4

Expert Comment

by:amoldkelkar
ID: 19549034
Hi,
There are couple of things you will have to take care of,
1. You need to enable services on your untrust interface as well.
Using following cli you can enable,
"set int untrust manage"
OR if you want any specific service to be enabled then use following cli for example,
"set int untrust manage ping"

2.You will have to have firewall rules set for your trust to untrust and vice versa.

Using cli you can set,
"set policy from trust to untrust src-add destn-add service permit"
"set policy from untrust to trust src-add destn-add service permit"

Fill in the fields,
src-add;dstn-add;service

3.Make sure you have a route set on your firewall to route the traffic properly.

Case a) If you have a route based VPN on your firewall,
set route 'destn addr OR 0.0.0.0/0' interface tunnel.1 gateway 'next-hop'

Case b) If you dont have any VPN, then give a default route routing whole traffic to your gateway thats a router,
set route 0.0.0.0/0 interface 'outgoing-intf-of-firewall' gateway 'gateway-ip-addr'

My guess is if you follow the above mentioned steps you should be good to go.

Let me know if this works.

Regards,
-AK
0
 

Author Comment

by:jugheadyong
ID: 19552878
Hi gang,

Here is a screenshot of my route table.  What should I add to it?
http://www.ftmsglobal.com/temp_stuff/sg/firewall_problems/netscreen_routetable.gif

help me,
Jonah.
0
 
LVL 4

Accepted Solution

by:
amoldkelkar earned 1500 total points
ID: 19553271
HI,
DId you try out my suggestions?
Policy rule is missing in your config.

I saw at your routing table. It looks very much fine unless you have any VPN configured on your firewall.
So as i said earlier if there is no VPN configured then the default route which you have given is perfect.

Just add-in the rule which is mentioned and also enable services on your untrust interface which is pointing towards the router.
That should be it then.
Let me know if you are stuck.

Regards,
-AK
0
 
LVL 8

Expert Comment

by:charan_jeetsingh
ID: 19554064
no problem in routing table. just follow amol... policy is the issue.
0
 

Author Comment

by:jugheadyong
ID: 19554201
I do not think it's a problem with the policies, but here it is:
http://www.ftmsglobal.com/temp_stuff/sg/firewall_problems/netscreen_outgoing.gif
0
 
LVL 8

Expert Comment

by:charan_jeetsingh
ID: 19562343
u are true.

when you say   >>  "I think it is because I do not understand how to set up the internal (trusted) and external (untrusted) interfaces, specifically how to let the internal interface talk to the external interface. "

do you meat that you are not able to browse or go to internet in anyway or is there some other specific problem you are facing.

you have also mentioned >> "Problem is how to let my PCs communicate with the external interface?"

is this meant for management purpose or something else ?


0
 
LVL 4

Expert Comment

by:amoldkelkar
ID: 19562540
HI,
How bout enabling services in your untrust interface?
0
 

Author Comment

by:jugheadyong
ID: 19597501
Dear Arnold,

Actually, the problem was that I had assigned an IP to the untrust interface that was outside of the usable range assigned to me by my ISP.  But your network diagram helped a lot, and it kept me on the correct track.

Thanks a lot for your help.

Yours Sincerely,
Jonah.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question