public cannot access http on DMZ

[vvcat]

hi all,

I have configured and install the policy on the checkpoint fw and allow webserver 192.160.4.1 NAT to 202.44.23.22

the rule added as follows
allow any webserver http log

I try to ping 202.44.23.22 on the webserve from outside, it success, traceroute also ok, but cannot access web thru the browser on outside. I don't know why, can everybody help.

[mcnallym]

I take it from this you have created a new node object called webserver, given it an IP address of 192.168.40.1, and that have added an automatic Static NAT of 202.44.23.22.

What do you get in the SMARTView Tracker, also nothing else is using that NAT address? It isn't the address of the Gateway is it?

[vvcat]

Yes, I have created object host, 192.160.4.1 , NAT is static, 202.44.23.22, gateway is 192.160.4.254, the IP 202.44.23.22 can be ping from ouside but cannot access web port 80.

The rule has already enabled of course!

source distination service action
===== ======= ===== =====
any webserver http accept
192.160.4.1

[lammbo]

You need to review the log entries in SmartView Tracker. Find the entries concerning traffic coming in on this rule.

Also, try to telnet to that public IP using port 80 and see if you get a connect. This could potentially be a SmartDefense issue, only the logs will tell.

[vvcat]

I only see is a accept log from our lan segment(192.168.8.xx), why no reject log (red color) I can see, the log is enabeld on the rule before!!!

[lammbo]

Does the web page display correctly from your LAN? If not, can you telnet to said server on port 80 and get a connect. It sounds like the firewall is passing the traffic from the LAN since you see only accepts and no drops.

To test the NAT though, you need to hit it from outside. If the telnets do not work and the logs continue to show only accepts, the issue is with the listening port on the webserver itself.

[vvcat]

I sure the webserver is working as we use LAN zone PCs(192.160.1.x) can access (e.g. http://192.160.4.1), no any problem, the webpage can be displayed correctly.

LAN zone PCs can ping 192.160.4.1 and 202.44.23.22 also, but cannot run http://202.44.23.22 from the browser. (seems time out)

someting strange.

[vvcat]

The problem was fixed, cause of I use duplicate true IP for our webserver NAT, that IP was already used by another host, I overlook for this, but I surprise why checkpoint cannot verify duplicate IP for my case.

Anyway, thanks your help.

[mcnallym]

Check Point can verify the duplicate IP address.

If you define a new object with the same IP address as an existing object then when you create the object it will say that there is an existing object, gives you the name of the existing object and asks you if you wish to continue.

You can also use the Query Objects and look for duplicates in there as well.

What it won't do is if you configure multiple NATs with the same IP address as this is valid. There is no reason why you can't have your SMTP and HTTP servers on the same public IP address, and merely manual translate using different services to choose which of the Static NAT to implement.

[vvcat]

thanks your advice