 | ||
 Cannot reach webserver from internal network | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
 2006-10-29 | |||
| |||
 Cannot reach webserver from internal network Hi, Originally I did static for a webserver, i.e, 1.1.1.80 > 192.168.1.80. Things were working fine before. Users from Internet or internal network could reach the webserver through the real IP "1.1.1.80". Recently I changed to use port address translations: - Original Translated SRC DST SERVICE SRC DST SRV Any 1.1.1.80 80 Original 192.168.1.80 Original Any 1.1.1.80 5900 Original 192.168.1.59 Original After that, Users from Internet can reach the webserver but users in the internal segment 192.168.1.x cannot reach the webserver via the real IP "1.1.1.80". Could any expert give hands on this and is it possible to explain why? Thanks a lot. Regards,  |
| 2006-10-29 | |||
| |||
| Re: Cannot reach webserver from internal network I'm assuming the previous NAT method was automatic. If that was the case, the firewall automatically creates ARP entries for the public address. If you have disabled the automatic NAT from the object, then these advertisements will no longer be in effect. To re-enable the HTTP access try adding the automatic static NAT back to the web server object. Don't delete you PAT entries though. (I'm assuming these are above all your other rules.) Since the NAT rules are read from top to bottom, your PAT rules should work fine. You should see the access to the web server via the public address now work OK. |
| 2006-10-30 | |||
| |||
| Re: Cannot reach webserver from internal network Hi, 1st of all, thanks for your reply. However, it still doesn't work after I enabled the automatic NAT for the webserver. May be I should provide more details: - network -------- firewall lan: 192.168.1.1/24 firewall wan: 1.1.1.254 router: 1.1.1.1 nat --- src dst srv tsrc tdst tsrv any 1.1.1.80 80 orig 192.168.1.80 orig any 1.1.1.80 5900 orig 192.168.1.59 orig 192.168.1.80 any any (s)192.168.1.80 orig orig <- automatic rule any 192.168.1.80 any orig (S)192.168.1.80 orig <- automatic rule 192.168.1.0 192.168.1.0 any orig orig orig <- automatic rule 192.168.1.0 any any orig (H)192.168.1.0 orig <- automatic rule rules ---- src dst srv action any 1.1.1.80 80, 5900 permit 192.168.1.0 any any permit Please kindly advise. Regards, |
| 2006-10-30 | |||
| |||
| Re: Cannot reach webserver from internal network OK, I see what I forgot to mention. Try adding rule that looks like this: src dst service action track any 192.168.1.80 HTTP accept log You'll need to do this since NAT occurs first. This should help. |
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
