|
Home > Archive > IIS Server Security > July 2004 > Firewall-private network
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Firewall-private network
|
|
|
| Ok I am setting up a webserver and putting it behind a
firewall with a private address. I had the this site
working when I had my external address, now that I put it
internal I am guessing I need to set up NAT through the
Gateway(firewall). The questionis a domain service has my
top level DNS which has A, Cname, and MX records then
comes the router, gateway(firewall), and internal domain
with internal DNS. How do I get the webserver working is
there something i have to do on the router to tell it to
go to the gateway and look for that address , or I guess
my question is how does the gateway know to pick up that
IP and tell it to go to the internal IP.
Sorry for the grammar and lack of DNS, firewall knowledge
Thanks for the help
| |
| Miha Pihler 2004-07-09, 12:01 pm |
| Hi Jim,
I have told you in my previous post that this is something that you should
check with CheckPoint documentation and news group. Also if you will
administer get to know the product, otherwise you won't be able to run it in
secure way.
Having said that here are some tips on how to configure you CheckPoint to
run your web site on private network.
First create two host objects e.g.
WebServer_Private and give it private IP (e.g. 192.168.0.5) (this IP depends
on your firewall configuration, number of interfaces and their IP assignment
WebServer_Public and give it public IP (e.g. 193.2.1.70)
Then open %fwdir% and browse to config folder. Here look for file called
local.arp and open it using notepad. If file doesn't exit create one. In the
file create the following entry.
193.2.1.70 00-08-02-F6-33-9D
Where you replace 193.2.1.70 with public IP of web server
and 00-08-02-F6-33-9D replace with MAC address of _public_ network card of
your checkpoint firewall.
Next thing you have to do is create static route from public IP to private
IP.
e.g.
route print -p 193.2.1.70 mask 255.255.255.255 192.168.0.5
193.2.1.70 = piblic IP of your web server
mask 255.255.255.255 = specific host (in this case 193.2.1.70)
192.168.0.5 = private IP of your web server
Next thing you need to do is create appropriate rules on your firewall for
your web server e.g.
Source Destination Coming Via Services Logging
Any WebServer_Public Any http Log
under services add any other services that run on the server and _don't_ put
in ANY!!!
If you need to surf from your web server then also open
Source Destination Coming Via Services
Logging
WebServer_Public Any Any http, https
Log
Next thing, open Network Address Translation and create rule like this:
Before NAT After NAT
Source Address Destination Address Source Address Destination
Address
Any WebServer_Public Any
WebServer_Private
WebServer_Private Any WebServer_Public Any
This is about it. Again, I can't stress enough how important it is that you
understand your checkpoint firewall if you are going to use it...
Mike
"Jim" <anonymous@discussions.microsoft.com> wrote in message
news:29f6c01c4652d$b57cdf90$a301280a@phx
.gbl...
> Ok I am setting up a webserver and putting it behind a
> firewall with a private address. I had the this site
> working when I had my external address, now that I put it
> internal I am guessing I need to set up NAT through the
> Gateway(firewall). The questionis a domain service has my
> top level DNS which has A, Cname, and MX records then
> comes the router, gateway(firewall), and internal domain
> with internal DNS. How do I get the webserver working is
> there something i have to do on the router to tell it to
> go to the gateway and look for that address , or I guess
> my question is how does the gateway know to pick up that
> IP and tell it to go to the internal IP.
>
> Sorry for the grammar and lack of DNS, firewall knowledge
>
> Thanks for the help
|
|
|
|
|