Problem with web page access

[tabularasa]

Hi Guys,

Im pretty new to this checkpoint stuff and was thrown in to the perverbial 'pit'. I set up an IP530 with NG FP2 from scratch. This 530 has 1 LAN 2 WANS (BGP) and 1 DMZ.

LAN = 10.10.0.0/24
DMZ = 10.10.1.0/24
WAN1= 63.x.x.x/24
WAN2= 65.x.x.x/26

The two WANs are BGPd through a two Cisco 2620s in front of it with no ACLs on them.

Im pretty sure i have NAT configured correctly, and all the network objects set up right. I am able to access the internet from the workstations on the LAN, but no one is able to access my Web Servers on the DMZ.

Im pretty sure i need to add some routing statements, but im not sure what they are. I want from the Internet to get on my Web pages, obviously, and i also want users on the LAN to access the Web pages as well.

The Users on the LAN are set up to go out to the internet first, then come back in, to hit the web pages, so they can vuew them in 'real-time'

Any suggestions on how to get this to work? im pretty sure its the routes that i have set up wrong.

i have a gateway of last resort set up, and some routes for the internal network. Thats bout it. help!

 

[ChrisAC]

What rules have you got set up at the moment for access into the DMZ? With the Nokia IP530 and NG FP2 you shouldn't need to set up any routing if you are performing NAT on the client side rather than the server side. So, when traffic reaches your firewall it is NATed into the private address and then routed to the correct interface.

If someone tries to access your web server, do you see that connection attempt in the log viewer? Make sure that you turn logging on for that rule if you are going to try this.

Also, check your NAT rules to just make sure that incoming traffic for the web servers valid address is being translated to the DMZ address.

Chris.
**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[tabularasa]

well, let me put it this way.

i put an

Any Any Any accept,

and i still could not access my web-servers from an outside network. :-(

And , i dont see any thing in the log viewer that is denying the traffic to the servers

 

[Piloria]

you may not be able to try this because of quirks in NG
can you do trace routes to find the current routes being made when you try the connections

The NAT rules should provide the required routing
is your webserver object set to use STATIC NAT in the server object?
or have you used some other method?

have you set the LAN to use a network object with HIDE NAT confiigured within it?

 

[ChrisAC]

Are you sure that the traffic destined for the web servers is being routed to the firewall. What is the

http://www address

so that we can have a look and see if the traffic reaches the firewall?

If you log connections to the web server and you're not seeing anything in the logs at all then your problem might lie else where.

Chris.
**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[ChrisAC]

Just had another thought. For troubleshooting purposes, put the web server on the inside LAN and NAT to a LAN address (same external IP) and see of that resolves it. If it works you can then look at your DMZ config.

Chris.
**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[tabularasa]

i think something simple is wrong.

when i do a fw stat on the 530, nothing comes up. i dont see how this is possible, because it shows on voyager that it is up. ???

any of you live in south carolina and want to help?

how can i tell if my ng fp-2 install went successfull on the 530 side?