Re: Need Help on Checkpoint Firewall NAT

From: Wolfgang Kueter (wolfgang_at_shconnect.de)
Date: 01/30/05


Date: Sun, 30 Jan 2005 13:24:54 +0000 (UTC)

tsaolimkei@gmail.com wrote:
> I am configuring two machines
>
> ComputerA - Checkpoint Firewall installed here
> 222.*.*.*
> 10.1.1.1
>
> ComputerB
> 10.1.1.2
>
> I am setting 10.1.1.2 with Static NAT and hiding it behind 222.*.*.*
>
> I am trying to use ComputerB to perform regular web browsing but it
> does not work. I am able to ping from computerB to 222.*.*.*
>
> Any idea? Do I need to set up DNS Server for this?

Without functioning DNS Internet is not much fun.

> The only rule I set is from ComputerB to ANy, Http Accept.
> I am trying Hide mode and it did not work either.

You need some rules that allow the internal machine(s) to resolve host
names. This can be done by running an own (caching only) DNS Server, that
must be allowed to contact external DNS Servers or by allowing the
internal machines to contact external DNS servers.

The general approach to all firewalling/filtering is:

- Sit down with a piece of paper
- make up your mind about the policy by writing it down in a table
  looking somthing like:

source destination service port/protocol allow log
-------------------------------------------------------------
LAN any http 80/tcp y n
LAN any https 443/tcp y n
LAN ISP DNS DNS 53/udp y n
LAN ISP MTA smtp 25/tcp y n
... ... .... ... y n
any any any any n y
         
After that implement thar ruleset into your filtering machine (whatever
you use). If something is not working it will for sure be caught by the
last rule (deny everything) and show up in the logfile. Watch the logfile
and maybe allow addional connections according to your requirements.

Wolfgang

-- 
A foreign body and a foreign mind
never welcome in the land of the blind
from: 'Not one of us' (c) 1980 Peter Gabriel


Relevant Pages

  • Re: DNS not resolving correctly on VPN
    ... When they log in via VPN, we pass the same DNS server. ... I will work with one of this machines today and post back. ... > the users use the OWA from the Internet side? ...
    (microsoft.public.win2000.dns)
  • Re: Firewall
    ... >> machines could not resolve domain names, but that they could ping public ... >> appropriate DNS server settings, and that they get replies to DNS ... >server addresses of my cable internet company? ...
    (alt.os.linux.suse)
  • Re: Domain workstation cannot see the domain for adding user permi
    ... approach but to instead use ONLY your domain controllers and configure them ... does not go to the other one if the DNS server returns a "not found" ... Now I have internet access via the dsl ... The network has a dsl router which only some machines are allowed to ...
    (microsoft.public.windowsxp.security_admin)
  • Re: conditional forwarding configuration issues
    ... > default during Win2000 setup when no Internet connection ... > if all internal clients are Domain Windows machines. ... I want to continue to resolve these internal namespaces as I have ... >> clients that are using this DNS server to be able to get to these web ...
    (microsoft.public.windows.server.dns)
  • Re: Domain workstation cannot see the domain for adding user permi
    ... My ISP had provided two dns server ... Now I have internet access via the dsl ... use only domain controllers as their preferred DNS servers because in an AD ... The network has a dsl router which only some machines are allowed to use ...
    (microsoft.public.windowsxp.security_admin)