PDA

View Full Version : problem with accessing internet



stevenalau
2006-03-06, 11:35
have install splat on gateway server, installed Check Point SmartConsole R55 on Win 2000 server. Created 3 rules, Cleanup, Stealth, and a rule with win2000 server as source, any destination, any service, action accept. Could not access internet from win 2000 server. added rule any source, any destination, and adding services that were dropped. and still can't access the internet from win 2000 server. What I'm I doing wrong?
(i'm taking using a 15 day trial version)

kva.kva
2006-03-06, 11:40
Check that ip forwarding is enabled on windows.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters]
"IPEnableRouter"=dword:00000001

stevenalau
2006-03-06, 12:23
Thank you for the reply, I changed the setting in the registry and still have the same problem (page cannot be displayed) any other ideas i can try?

kva.kva
2006-03-07, 04:56
What do you see in SmartView Tracker?

cc790
2006-03-07, 06:44
yes the best way to is to check your tracker to see what's happen, don't forget to log it.
is your browser well configured.
May be you can do a rule where source is your server, destination is any, and VPN is any

ddarby1
2006-03-07, 09:03
A few things guys;

if the info. supplied is correct,

The IP forwarding registry setting for Windows isn't required because according to stevenalau, a SPLAT machine is configured as the enforcement module.

If the policy as specified is installed correctly, I'd want to know what the NAT rule is and that the IP address in the General Properties of the Enforcement Module is a valid internet address (not RFC 1918).

There's quite a lot of other things to ask in order to rule out what is going wrong, so if you can provide a bit more info. that would be useful, for example;

can you definitely confirm the policy has been successfully installed on the enforcement module?
what is the NAT rule?
check IP configured in general properties of enf. module is an internet address

kva.kva
2006-03-07, 09:39
The IP forwarding registry setting for Windows isn't required because according to stevenalau, a SPLAT machine is configured as the enforcement module.


Sorry, it's my mistake.

stevenalau
2006-03-07, 10:08
thank you for all the help, the ip on enforcement module was provided by my isp. I have tried automatic nat behind gateway and ive tried no nat at all. for every dropped packet in smartview tracker i added to the rule to so the packets werent dropped. each and everytime i changed the rule base i installed the policy with receiving a green checkmark showing it was installed. I will add a rule with server being destination with any as source, maybe that will work. I can ping all nick's on internal network, when I ping external nick on enforcement module (the isp ip) i get request timed out. Is their anything else I can try?

kva.kva
2006-03-07, 11:18
Check routing.

For Internet access from your LAN station you need NAT your private addresses to public addresses.

Check that you have rule for icmp from your host to your module.

And enable - log implied rules in General Properties in SmartDashboard.

stevenalau
2006-03-08, 05:20
once again thank you for all the help. thus far everything mentioned has been tried or done and i still cant access the internet from the w2k server (smartcenter server).It must be something simple I/we are over looking. It appears that I'm not able to get thru the firewall (go from inside nick to outside nick). Someone please help.

ddarby1
2006-03-08, 07:24
We're probably going to need some more specific info, but can you answer the following questions and try a couple of things(kva.kva has already mentioned a couple of points):

1) Add a security rule above the stealth rule so that the W2K machine can, for example https, sshv2, icmp echo request to the enforcement module.

Install this policy then try to ping the external IP of the enforcement module.

2) Check and confirm back here that the IP address in the General Properties of the Enforcement Module is a valid internet address (not 192.168.x, 10.x, etc.)

3) If the above is a valid internet address, make sure that your W2K machine either has the internal interface IP of the enforcement module as its default gateway, or has a static route performing the same function.

4) Feel free to post the actual IP addressing/config of your network here, not forgetting to asterisk out portions you do not want to be shown. You can also post screen shots.

Examples, ipconfig output from Windows machine, ifconfig output from console of SPLAT box, screen shots from Smart Dashboard, SmartView Tracker.

Lackie
2006-03-08, 10:40
And if we can see exactly what the traffic is doing it may help. You can run a monitor on the firewall.

fw monitor -e 'accept src=64.233.161.99 or dst=64.233.161.99;'

Then try and access the IP address in the command. This will dump to the screen any traffic going to or coming from that IP address.

stevenalau
2006-03-10, 11:03
Once again thank you for all the help. I would have gotten back yesterday but i spent all day trying to fix this problem, and still haven't.
DETAILS:
Enforcement module: SPLAT Express (Compaq Presario 5000, 256meg, 700mhz, 20gb) [just had setting around ]
external nic set to dynamic (hooked up to ISP cable modem)
IP: 68.40.217.104
DG: 68.40.216.1
SM:255.255.252.0
internal nic set to static (hooked up to W2K Smart center server)
IP: 192.168.1.1
DG: 192.168.1.254
SM:255.255.255.0
Smart Center Server: VPN-1/FW-1 Express (W2K SP4 196meg, 1000mhz, 40gb)
IP: 192.168.1.2
DG: 192.168.1.254
I've tried everything mentioned, plus a few more, still with no avail. Ran monitor on SPLAT only showed activity on the static IP's.
Ran cpinfo on SPLAT packets getting to external nic (dynamic) but not being sent out of dynamic nic.
I even opened firewall all the way up (deleted all rules except 1 which was any src, any dst, any service, accept) installed any,any,any policy. Still couldn't get out to internet or ping external nic.
I switch nic connections reinstalled SPLAT, wouldn't show eth0 as dynamic where it was static before in other words it showed the exact same hook up as before i switched connections, reset bios, reinstalled SPLAT showed exact same. Changed both nics and even changed slots, same thing, wouldn't allow me to connect to Enforcement module thru HTTPS, put connections back to original was allowed to connect thru HTTPS but when tried to install policy got error ' internal SSL error [error unknown] '. and still couldn't ping external nic (dynamic ISP)
Any ideas on what is going on?

Lackie
2006-03-10, 12:24
What is the subnet mask that you are using on the external network?

Make sure you are logging the implied rules.

If you could post the results of the monitor it may be helpful.

stevenalau
2006-03-11, 12:05
subnet mask added above. Yes log implied checked
how do i post results of monitor

Lackie
2006-03-12, 09:05
After you run it and test you can copy it from that window into here.

stevenalau
2006-03-13, 19:05
are we talking the smartview monitor or the monitor thru cpmonitor?

additional note: when all nicks are on same subnet 69.136.133.0/24 iam able to ping all nicks but cant ping beyond the nick connected to internet