Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Routing problem

Status
Not open for further replies.
JH24

JH24

MIS
Jun 18, 2001
68
GB
I have an NT4 Server with Checkpoint firewall on it acting as a Webserver.
It has 3 network cards in it, one as the LAN card, the second as the Internet Card and the third as the DMZ card.

I am trying to route some traffic through the LAN card to the DMZ card but all that ever happens is the traffic goes to the Internet card and tries to route out over the Internet.
I am using static routes and there is a route that says
0.0.0.0 mask 0.0.0.0 through the Internet card.

I have put another route in to tell it to for the Network i am trying to route to use the DMZ card.

After this did not work i then changed the METRIC value of the 0.0.0.0 mask 0.0.0.0 route to 2, this still has not solved the problem.

Does anyone have any ideas what i am doing wrong??

Thanks

 
Sort by date Sort by votes
First of all, please remove the web server from your firewall. It really defeats the purpose of a firewall to run any service other than the proxies on a firewall. If someone compromises your web server, they just bypassed your firewall as well.

As far as your routing is concerned, once you add the DMZ NIC and assign it an IP address, the system should add a route to your routing table showing the subnet assigned to your DMZ, with that interface as UG.

The route 0.0.0.0 mask 0.0.0.0 is your default route, and should be the last entry in the table. Basically, this says that if a route hasn't been matched yet, then send it out this interface. I am not sure how your Metric became 2 though. The default route's metric should always be 1.

But firewalls are kludgy about adding routes. Some only allow changes to the routing tables at install, to avoid having a hacker compromise your firewall and reroute traffic to some undesireable place.

Why don't you issue the route /print command and paste the output here so that we can comment more thoroghly. Obviously you should replace your true network addresses with something that is less readily identifiable.

pansophic
 
Upvote 0 Downvote
Sorry, i have just read what i put, the firewall is not acting as a Webserver at all, was doing something on a webserver at the time of writing this.

I changed the route 0.0.0.0 mask 0.0.0.0 to Metric 2 just to see whether that would make any difference.
I am able to route traffic from the DMZ without any problems into the LAN, it is just when i am trying to route from the LAN to the DMZ.

I am now thinking that this must be caused by a rule that i cant find in the checkpoint software, as i cant see how it can be routed one way but not the other.
 
Upvote 0 Downvote
Sounds like a rule issue to me as well. Incidentally, what are you allowing from the DMZ to the LAN? Normally you only allow the DMZ to the internet, except for maybe a backend database. Even then, you only allow the DMZ to LAN connection for the database protocol.

By the same token, I'd limit the access from the LAN to the DMZ unless there is a reason not to. You'll need to allow HTTP, maybe HTTPS, and maybe management protocols as well, but you should have to create a rule for the connection, with a source of the LAN network and a destination of the DMZ network. It sounds as if you already have the rule defined with a source of the DMZ and a destination of the LAN.

pansophic
 
Upvote 0 Downvote
The traffic that is allowed from the DMZ to the LAN is Citrix Protocols only so that another company can connect to our Citrix Servers.

The only traffic that i am going to enable from the LAN to the DMZ is HTTP & HTTPS.

I have gone through the rules with a tooth comb but cant see anythink that would prevent the traffic getting through.

Later today i am going to stop the Firewall Module service and then try route traffic, should be able to see then if it is a rule or not.
 
Upvote 0 Downvote
Generally, only two things cause this kind of problem. One is DNS, and the other is default routes. It doesn't sound like a default route issue, because your LAN workstations must be using the firewall as the default route. And it really doesn't sound like a DNS issue either, but you could try to connect by IP address just to be sure.

Given that it is neither of these, a Firewall rule would be the obvious choice. If you can afford to shut off rules for a minute or two to do some testing, you'll find out quickly.

Is there a route in your routing tables for the DMZ network?

pansophic
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

robocat
  • Locked
  • Question
Yet another TCP RST flag problem
Replies
0
Views
537
robocat
robocat
Guthro
  • Locked
  • Question
BT Loopback problem - finally resolved.
Replies
0
Views
116
Guthro
Guthro
SirBlack
  • Locked
  • Question
Internet connection problem
Replies
5
Views
156
kjv1611
kjv1611
Sylric
  • Locked
  • Question
Audiocodes Mediant 1000B Routing question
Replies
0
Views
88
Sylric
Sylric
Guthro
  • Locked
  • Question
BT loopback problem
Replies
0
Views
90
Guthro
Guthro

Part and Inventory Search

Sponsor

Back
Top