Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Error: FW-1 at firewall: Failed to connect to the WWW server.

Status
Not open for further replies.

chunky28

Technical User
Apr 14, 2003
121
GB
Hi

I have a Checkpoint Firewall - but I am experiencing problems configuring access to a website I am hosting (@
If I attempt to access it from inside my LAN I get:

'The page cannot be displayed'

But if I attempt to access it from outside my LAN I get:

'Error
FW-1 at firewall: Failed to connect to the '

The domain name is registered to the IP address of my router which forwards http requests to my webserver using NAT - via my firewall.

I have the following rules installed on the firewall:

Rule 1 (Stealth Rule):
Source - Any
Destination - Firewall
VPN - Any Traffic
Service - Any
Action - Drop
Track - Log
Install On - Policy Targets
Time - Any

Rule 2:
Source - Net_192.168.0.0 (My Network)
Destination - Any
VPN - Any Traffic
Service - Any
Action - Accept
Track - Log
Install On - Policy Targets
Time - Any

Rule 3:
Source - Any
Destination - ocsmid (my webserver)
VPN - Any Traffic
Service - SMTP
Action - Accept
Track - Log
Install On - Policy Targets
Time - Any

Rule 4:
Source - Any
Destination - ocsmid (my webserver)
VPN - Any Traffic
Service - HTTP
Action - Accept
Track - Log
Install On - Policy Targets
Time - Any

Rule 5 (catch all rule):
Source - Any
Destination - Any
VPN - Any Traffic
Service - Any
Action - Drop
Track - Log
Install On - Gateways
Time - Any

Anybody got any ideas.

Kind Regards

Charlie
 
the object for the webserver does it have the ip address of its internal i.e 192.168.x.y
you say you are doing NAT at the router so there should be no NAT settings in the webserver object.

there may be a routing isue between the router and the webserver the router will have an internal ip address in the same subnet as the external ip address of the firewall but this will be in a seperate subnet to the internal interface (and the webserver)
are you NATing from the internal network 192.168.x.x to the outside of the firewall

the problem for accessing from the inside of the network is possibly the same
you are resolving the dns which is then passed out to the router then back in to the firewall so giving the same problem.

try a traceroute and see where link is falling over

i know i am not very clear.

but i need some more info of where NAT is going on (router, firewall)
what the ip addresses are at router, firewall (interal and external) and where the webservers ip address

DONT GIVE ME REAL IP ADDRESSES but enough info to see your network structure
 
the object for the webserver does it have the ip address of its internal i.e 192.168.x.y
you say you are doing NAT at the router so there should be no NAT settings in the webserver object.
-----------------------------------------------------------

The router forwards http requests to a public IP address in a range given to me by my ISP (using the Netgear router's SUA Server Setup menu).

I have configured the firewall so that the webserver object hides behind this address (i.e. static NAT). It's real address is a private address i.e. 192.168.x.x

Hope this makes sense.

Here is how the network is setup:


Internet
|
|
Router 193.xxx.xxx.225
Subnet 255.255.255.240
|
|
Hub/Switch
|
|
193.xxx.xxx.232
Subnet 255.255.255.240

FireWall/VPN

192.168.1.1
Subnet 255.255.0.0
|
|
|
Hub/Switch - - - - 192.168.2.1
192.168.2.2
192.168.2.3
192.168.2.4
192.168.2.5
192.168.2.6
192.168.2.7 etc.
(all subnet 255.255.0.0)*

* S0 the webserver has one of these addresses but the firewall is configured to hide it behind a public address in my range.

Cheers

Charlie
 
Why are you directing web requests towards the IP address of your router? You have a decent chunk of IP addresses (224 - 239) so why don't you register the as 193.xxx.xxx.235, for example, and just route that traffic straight to the firewall and use a static NAT there. At the moment you are Port Forwarding from .225 (the router) to the firewall and then doing a further NAT on the firewall. This isn't the best way to do it.

Chris.

**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
 
I am a novice to this. So I have it set up the way it is and it has been working until I introduced the firewall. I used assistance from various forums such as TekTips to get this working.

The firewall works fine otherwise.

Emails are even getting through to my mailserver (= same machine as the webserver). Emails are sent to my router by my ISP and forwarded to my mailserver via the firewall. It is just HTTP requests which are not getting through.

I understand what you are saying but my firewall is a software firewall installed on a Windows PC. So I think I need the router don't I?

But if you can suggest a better way of configuring it I would appreciate any tips!

Cheers

Charlie
 
Yes, you still need the router to connect your firewall to the internet. However, as you have a range of IP addresses you can now have a dedicted IP address for all your equipment. So, you might use ..

193.xxx.xxx.225 - router
193.xxx.xxx.226 - firewall external interface
193.xxx.xxx.227 - web/mail server (real address 192.168.2.10)

So, you would point at 193.xxx.xxx.227 and the MX record for your domain at this address. You then create an object for this server on the firewall with the address 192.168.2.10, for example, and on the NAT tab have a static translation to 193.xxx.xxx.227. You then create a rule that allows SMTP and HTTP from anywhere to your web/mail server object. As long as the firewall does proxy arp for that address, your router will route traffic for 193.xxx.xxx.227 to the firewall and the firewall with NAT the traffic to the correct internal address.

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
 
Thanks Chris.

I am sure I tried this before but experienced numerous problems, but it certainly makes sense waht you are saying.

Can't remember what the problem was......I think it was either a problem with my router, or my ISP wouldn't allow me to point mx records and A records to other IP's because we only have an ISDN connection. (not sure if that makes sense but I do remember trying to point them to other addresses in my range). Although perhaps that was prior to introducing the firewall!! I can see what you are saying about 'Port Forwarding from .225 (the router) to the firewall and then doing a further NAT on the firewall.'

BUT
Unfortunatley we only have an eval version of checkpoint and the company have decided to ditch it and bring in a cheaper cisco 801 router/firewall (hardware). So I've got to start from scratch configuring it!! great!

Not even sure how this will cope with SQL*Net traffic (for Oracle).

Thanks again.

I will now try to configure this cisco box and take your advice onboard!

Cheers

Charlie
 
Right things have changed a bit....

We decided to get a CheckPoint Safe@Office 110 appliance. It works ok except for the website access again!!

As suggested by Chris Andrew (iproute) - The domain name is currently pointing to the IP address of my firewall (193.xxx.xxx.232) rather than my router.

I have been trying to play with the settings but I can't get it to forward web requests to my webserver (193.xxx.xxx.237 - actual IP = 192.168.2.11)

The HTTP server is listening on port 7777.

I've added a Static NAT of:

WAN IP = 193.xxx.xxx.237
Internal IP = 192.168.2.11

And under servers:

I've specified 192.168.2.11 as a Web Server and Mail Server (SMTP)

I would be gratefull for any help.

Thanks

Charlie
 
oh...have I misunderstood?

Should I be pointing the domain to my webserver i.e. 193.xxx.xxx.237 but just remove all NAT settings on my router?

So web requests (193.xxx.xxx.237) will go straight to the router and NAT should be performed there.

I've removed NAT settings on the router but I also chnaged the A record....I shouldn't have changed the A record to point to my firewall (.231), should I?
 
You have a number of options here ..

1. Don't NAT on the router. Pass the live IP addresses through to the firewall. Point the for your domain at the firewalls address and the port forward to the web server.

2. Point the at another address and then set up a NAT rule on the firewall to NAT that other address to the private address of the server.

Also, you say that on the firewall appliance you have specified 192.168.2.11 as a mail server and web server. In this case the firewall will pass TCP 25 and TCP 80 traffic. However you say that your web server is listening on port 7777. Why?

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
 
Many thanks.

Would you advise I go for option 1 or 2 or does it make no difference?

OK I think the main issue I need to resolve therefore is port usage.

Port 7777 is the default port for Oracle Portal and Oracle HTTP Server.

I've just found a document which explains how the port can be changed to port 80. Looks like it involves quite a bit....to integrate the change with Oracle SSO

Thanks for the quick response.

Charlie
 
If you need port 7777 for Oracle then fine, use that. Just remember to create a rule on the firewall to allow this port.

As for how you do this, it's upto you. If you're not going to host many services and you have only a few IP's then port forwarding can work. If you have the available IP's then map a separate address to the server and then create the rules to allow the desired ports.

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
 
I think I'll look into changing the port. Otherwise the port will need to be specified when anyone attempts to access our site.

Many thanks again. This may take a while to sort as the weekend is approaching. I'll update the thread if I experience further probs.

I will mark your posts as valuable once it's sorted!

Cheers

Charlie
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top