Routing through DMZ to internet

[clarkeyi]

Hi

I am running NGX R62. I have 2 DMZ's off my checkpoint. These host ISA Server. The 2 DMZ's are split between ISA's internl and external networks.
CP is configured as DMZ_EXT interface 192.168.51.1
DMZ_INT 40.1.1.1
On the Topology settings I have set the External DMZ to 'External - Leads out to the internet'

For External I have set 'Internal', Specific and selected the network subnet and ticked the internal leads to DMZ checkbox.

When I do try to open a web page on the ISA server it shows no traffic going through Checkpoint to try and access ther site. The GW is set to 192.168.51.1 on ISA and external DNS is set up.

DO I need to set DNS up on my Nokia FW also to point externally.

Any ideas as to why CP cannot see HTTP traffic from the ext_dmz please let me know

Cheers

[MarioL]

Topology settings are there to provide Anti-spoofing configuration.

Spoofing is basically sending packets with fake source IPs, to try and get through the firewall. For instance, sending packets from the internet to your firewall, using some internal IP address of yours as source.

This is prevented by setting up the interfaces correctly.

What you need to setup there are what IPs are legitimate sources on each interface.

Normal configuration will be something like:

External interface to Internet: External
DMZ: Network defined...
Internal: Network defined, or if you have multiple internal networks, create them all, add them to a group and use the group here.

You should always have the "Perform check" tick as well.

I'm fairly sure that on your DMZs it should be "Network defined" and your Internet interface will need to be External.

[clarkeyi]

Cheers

Ihave set this to external, leasds out to the internet.
The problem I have is if I ping the CP interface 192.168.51.1 no logs show in checkpoint that this is being pinged?. The interface does reply.
Also, from a LAN PC I try to ping 192.168.51.22 which is the server address and I get no reply withh no logging being shown
Just wonfering if I have not configured something correctly on the FW?

The .22 server has natting setup to the external IP address that is used to access this server

[MarioL]

It can be SO many things.

It can be anti-spoofing, it can be NAT changing packets, so you ping the private IP, but get the answer from the public, it can be routing...

Also, a DMZ shouldn't ever, EVER lead out to the Internet.

DMZs should be totaly "self-contained" networks, with only one gateway, that being the firewall's interface.

[clarkeyi]

Cheers
I have sorted the problem. thanks for the advcie, I have kept it as Internal
I got it working by enabling NAT on the internal network and also enabling NAT on my two externl facing ISA nics. when I check my IP externally it is showing the NAT'd public address of the ISA servers.

Cheers

[dav_y2k]

Hi all,
I'm having similar issues with my check point firewall. When I freshly installed NGX R62 without any policies setup, I can't ping FW-1 but when I can ping other PCs on the same network from the firewall and when I try to ping the firewall from other PCs it times out, but when I unchecked the Checkpoint/VPN Firewall in the LAN properties I could ping both ways even names.

I tried adding rules to allow any services from the LAN to FW-1 still to no avail.
Also, this is just by the way, I tried to add routes on the firewall using the following command

route add -p (public IP) mask 255.255.255.255 192.168.0.1 metric 1 but got some errors about not being on the same network.

I'm also trying to configure a Win2K server as a vpn behind NGX.

any link to any tutorial will be appreciated.

thanks