Need Urgent help with Checkpoint NG R55

[mdwu]

This is the situation. I have 2 Terminal Server and 1 webserver inside the network. So what I did was I created 3 host objects with static NAT. I created the rule to allow incoming traffic.

The funny thing is that it works,From outside, I can see my website and able to terminal serv to my server inside the network (behind internal nic). However, about 10 mins later, the connection stop and all of the sudden all the internal user cannot go out to internet. and now I am stuck. Help

Is it checkpoint think that it's hacking and trigger blocking of all traffic from in to out.

 

[ChrisAC]

What hardware/software platform is this running on?

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[mdwu]

Windows 2000. Compaq proliant DL360

Does this have anything to do with Hide Nat for internal Network. I read somewhere that if I do Hide NAT, then I cannot perform static NAT. most of the reference book shows how to provide out-going services from DMZ zone, but not from behind internal nic. My range of servers are 192.168.1.2 - 192.168.1.10. Is this mean when I create a network object for my internal network for Hide NAT, I have to exclude those IP address. I create my Internet Network object as 192.168.1.1 - 192.168.1.254, at the same time each server from .2 to .10, i create separate host object with static NAT.

Thanks

 

[ChrisAC]

If your network object has Hide NAT applied then there is nothing stopping you from then creating objects that have a static NAT applied to them. The static NAT will override the hide NAT for the network object.

It is strange that it works for ten minutes and then stops working. What do the logs show when it stops? Is the traffic showing as being accepted by the firewall? Sounds more to do with a hardware issue maybe. Do you have to bounce the firewall to get it working again? Is the Windows box fully patched and hardened?

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[mdwu]

Yep..windows is all patch. NG is up-to-date. It's a brand new Compaq DL360 with 1GB of memory, so i don't think it would be hardware.

So you mean the ip address for static can also be part of the internal network objects that in hide mode.

Can you provide step by step from create object to setting rules so I can trace if I am messing up something.

Thanks

 

[lancelote]

If you use double address IP on a interface (don't know if it that) the second adress IP work sometimes and sometimes don't. And i don't know why but it can be the probleme !

If it's not the probleme, see the log (SmartTracker) and tell us what is writen.


LaNceLoT

 

[mdwu]

Thanks Lancelote,

If that's the case, that means I have to adjust my object settings. is this what I need to do.

For object that represent the whole internal network, I will make it from range 192.168.1.41 - 192.168.1.254
, this way, I can exclude the the static IP's.

For each static server object, I will create so long as the IP address is before .41

 

[KieranBurns]

This will most likely be down to your ARP cache. (it has a 10 minute time out)

When statically routing in Firewall-1 (et al) you need to direct the translated packet to the MAC address of the interface it is accessed by.

So you need to add a static ARP entry linking the external IP to the MAC address of the EXTERNAL card.

Then you need to route to the EXTERNAL IP to the INTERNAL IP so it knows where to go once it hits the firewall.

How you do all this is dependent on your firewall hardware

Hope this helps