Nokia IP350

[sinyce]

Help this is killing me:

Just bought a Nokia IP350 with 4 interfaces
ISP gives me a /30 block IP

LAN1 172.17.30.0
Mailserver
Clients
NT Server DNS

LAN2 172.17.31.0
Clients

I've got DNS to work.

How do I get HTTP? HTTPS.

I cant get any web pages.
Clients configured: Default G/W is the FW interface

Rules:

Any FW [http, https] Accept log

What am I missing? Do I need a Webserver?
Can I set up the FW to do proxy?
What is the downside to that?
Do I need more routable IP addresses from my ISP?

Running NGAI


Any help is great help.

 

[ChrisAC]

You need a rule to allow your network to do HTTP/HTTPS, not the firewall!!

Note: You will need to create a network object with an automatic NAT rule to NAT to the firewalls external address.

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[Piloria]

I wouldnt use Valid External IP addreses for you intenal networks.
use a reserved range
10.0.0.0
or
192.168.0.0

then use NAT at the firewall to concele these addresses behind Valid ones.

Create network objects that covers your client groups.
then in the groups set NAT (i would recomend hide NAT with one of your free IP addresses)


for your mail server you will need to use a Static NAT with one of your ISP addresses

if you have multiple client address ranges they will need nat set up on each buth then create a simple group for all client ranges and use this in your rules

rules
source - Dest - service - Action - Track
DNS_Servers - any - DNS - accept - log
client_network - any - HTTP,HTTPS - accept - log
Mail_server - any - smtp - accept - log
any - mail_Server - smtp - accept - log

for the DNS serves the destination can be set to your ISP servers.
if you are wanting your DNS servers updated from your isp servers then you will need a rule to allow that

 

[sinyce]

Piloria:

I'm not clear on the DNS, here are my rules for DNS:

Group: LANS= Network Obj LAN1 and LAN2
Nodes: Internal_DNS = my internal NT4 DNS Svr

Rule:

Source#Dest#Service#Action
LANS#Internal_DNS#UDP domain-udp#Accept
Internal_DNS#[Negate] LANS#dns + UDP domain-udp#Accept

Which pretty much says: Clients in LAN1 and LAN2 make DNS Queries to my Internal DNS Server. My internal Server can only make DNS Queries to the external ISP.

My Internal DNS (NT4) currently Forward internal requests to my ISP servers? Is this correct? Following what you said, how do I make my DNS get updates from my ISP and what rule do i need.

My Mail Server is NATed to a real IP address from my ISP.

Following your advise, when I configure LAN1 and LAN2 (Networks Object),
On the NAT tab:
Add Automatic Address Translation rules is checked Translation is set to hide
Hide behind Gateway is checked
Install on Gateway set to *All

Now I have one rule:
Source, Dest, Services, Action
LANS, Any, [https, http, ftp], accept

Please let me know.

Thanks a million.

sinyce

 

[Piloria]

The DNS updates i am refering to are tif you want the external ISP servers to know about your internal lan (i am assuming you dont so ignore this)

your DNS rules look ok
but rather than negate the lan group which allows for access to any ip not on your lan you could narrow this to only a couple of nodes for your isp DNS servers (but what you have works)

for the internal clients if you have a spare valid IP address i would use this instead of hiding behind the firewall (it just makes the firewall a little more invisible)