New Checkpoint NG FP3 Install, can't get back in once out

[spictacular]

Hi just joined, did a lot of reading and figured (hoped) that somebody could help me out with this problem....

I did a new install of CP NG FP3 on a Win2000 box. All interfaces are configured, I only the most basic rules installed: Mgmt Rules, Stealth, out access from LAN, cleanup rule. Nat rules are also set only LAN to LAN keep same, and LAN to any --> FW to any .....That is all. I can ping my internal and external interfaces on my FW. I can ping my LAN from the FW also. Now I when I try to ping outside to anywhere (internet) I get no reply. I checked the logs and can see myself doing DNS request, trying to use a service such as MSN....But nothing is coming back. Oh and my mgmt rules work fine. There is no router in front of the gateway, just my cable modem. Am I missing something here? Huge thanks in advance!

Sergio
sergio3986@hotmail.com

 

[Bastion1]

Hi,

Are you able to ping the Internet IP Address from the firewall? Ping only IP Address not the FQDN. If yes proceed with giving dns ip address in the firewall.

If no... check the FW default gateway for the internet.

Second

From the LAN check the default gateway for the pcs are ip address of the firewall.

If any further clarifications u can mail at nagarajpandu@yahoo.com. Feel free... P.Nagaraj
nagarajpandu@yahoo.com CCSA, CCSE

 

[Piloria]

i know in fp2 pings through and trace routes are a real bugger to get working through the firewall (i have never managed it)

but a few things to check

in the global properties check to see if you have Accept icmp requests (before last)

then you need to add icmp to a rule to allow it through

 

[spictacular]

Hi thanks for replying. Well as it is right now I can ping both the internal and external interface of the FW. I still only have the basic rules set. I have access to the FW for management, and then for out bound I have internal LAN access to anywhere. As for NAT I have internal to internal stay the same, and internal to anywhere nat with FW interface. That is all the rules I have in place. When I check the logs I can see myself going out I can see myself doing DHCP request, or trying to ping. But I don’t se anything coming back in. So it looks like a NAT problem somehow. I read that there are issues with Win2000, and that you have to create and ARP file. I have tried this but still no luck. I also read that there is a program called “fwparp.exe” I tried this also and it still didn’t work. I also tried using the auto nat in checkpoint, but still the same results. My FW management rule works fine, and I have also added a rule for my internal to be able to ping my FW and it work also. I can ping my ISP router from my internal LAN because it is on the same subnet, anything else I get no reply. Any ideas? Thanks for the feedback so far!

Sergio
sergio3986@hotmail.com

 

[Piloria]

it sounds more like a routing problem in the isp router.
make sure that the router can route to your external interface. if it is in the same subnet as your internal lan then how do you differentiate between internal and external ip addresses?

 

[Redfox1]

General: Make ONE change at a time then push policy, keep notes on them and observe all logs & tests between each change. This WILL help to figure things out.

Also, LOG EVERYTHING - i.e. log anti-spoofing packets etc. - See global properties | Stateful inspection!!! Also, LOG Implied RULES in the Global Properties | FW1 options.

I have a feeling that somehow antispoofing & NAT are to blame on this one.

Make sure your "anti-spoofing" settings are set correctly in the "Topology" settings of your FW object. You should set the right one to go 'the Internet.' Also, check your Global Properties | NAT section and check to make sure you're using a PRIVATE IP range that it "knows" about.


If you have enabled "Automatic ARP" in the NAT Global property you should be OK too.

Also, you should realize that most cable internet providers use DHCP for the client configs.

You might have to call them up and tell them the external interface's MAC address so they can allow it out instead of your old PC.