|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] How to setup a dual FW1 DMZ?
I think your #2 firewall is somewhat extraneous in your example. Since you can have your firewall apply rules EITHERBOUND, rules are checked in both directions and one firewall should be able to accomplish the same goal. Here is example: Internet Router 200.200.200.1 | | Firewall -1 ---------------- DMZ Host (200.200.200.3(o), 192.168.0.3(dmz), 10.10.10.3(i)) (200.200.200.2(o), 192.168.0.2(dmz vlan), 10.10.10.2(i)) | | Internal Router 10.10.10.1 So you statically NAT your DMZ bastion in both directions. It has a real Internet address of 200.200.200.3, so you create appropriate rules for traffic to/from 200.200.200.3, static NAT rules, static host routes and local.arp. It has an address on your internal network of 10.10.10.3 and you do the same for this IP, rules, static host routes, nat, local.arp 192.168.0.0/30 is the ACTUAL subnet on that DMZ leg that you define static host routes to in both directions. (also important to properly define anti-spoofing on interfaces) So nat translations look kind of like: Internet @ @ @@@@@DMZ(o) FW-1 ==== DMZ(dmz) +++++++++DMZ(i) + + You apply eitherbound rules for @, =, and + traffic, the latter acting like your #2 firewall. So you load a SMTP relay on the bastion host and allow your internal mailserver to relay mail via smtp to this host. On the outside interface you probably need to add a couple more rules to make the bastion usefull. icmp-request, reply, etc. I would strongly advise against allowing ftp to a bastion providing any other services! Setup a ftp server if needed and use a resource definition with the ftp rule to allow only get/put in direction you choose. ftp is dangerous... Your #2 router in your example is basically just applying a rule base that is accomplished in my example by the rules applied to the 192.168.0.3 ===> 10.10.10.3 direction. Considering expense of CheckPoint software, I think you would be wasting money. ----- Original Message ----- From: "Brock Bruner" <[email protected]> To: <[email protected]> Sent: Tuesday, October 31, 2000 12:44 PM Subject: [FW1] How to setup a dual FW1 DMZ? > > I have seen a lot of examples of how to setup a DMZ by using three > interfaces, one for each part of the network. Does anyone have any examples > on how to setup a two firewall network that contains a DMZ? See my example > below. > > > INTERNET ---- FW#1 ---- DMZ ---- FW#2 ---- NETWORK > > I am mostly concerned with the fact that the company want to put our mail > server on the internal network. I just want to make sure that I can have > e-mails get all the way in any out from the internet. I also want to use > NAT at both firewalls if possible. > > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
