Discussion:
HTTP not working on CheckPoint Firewall-1 NG
(too old to reply)
Kenny
2003-10-20 16:37:55 UTC
Permalink
Hi,

I encountered a problem when I setup Checkpoint Firewall-1 NG on the
network.

For easy to identify the problem, I enabled "any" "any" services on the
gateway (Firewall-1).

It is only running NAT (hide) on the Firewall.

From internal network client, I can ping, tracert, lookup external internet
website and public ip address by FQDN.

But from IE in client computer, I can not open the web page, even I entered
website ip address directly in the IE address bar.

Is there some special setting for HTTP access though checkpoint firewall
gateway?

Any tips will be apprecicated.

Thanks,

Kenny
Chris
2003-10-20 18:59:16 UTC
Permalink
Post by Kenny
Hi,
I encountered a problem when I setup Checkpoint Firewall-1 NG on the
network.
For easy to identify the problem, I enabled "any" "any" services on the
gateway (Firewall-1).
It is only running NAT (hide) on the Firewall.
From internal network client, I can ping, tracert, lookup external internet
website and public ip address by FQDN.
But from IE in client computer, I can not open the web page, even I entered
website ip address directly in the IE address bar.
Is there some special setting for HTTP access though checkpoint firewall
gateway?
Any tips will be apprecicated.
Thanks,
Kenny
Have you checked the log viewer to see why the traffic is being dropped.
This would be the first point of call!! Also, is the client set up to use a
web proxy perhaps?

Chris.
Beoweolf
2003-10-20 19:29:28 UTC
Permalink
What are your rules? Did you verify / install after configuring?
What is in the log?
Post by Kenny
Hi,
I encountered a problem when I setup Checkpoint Firewall-1 NG on the
network.
For easy to identify the problem, I enabled "any" "any" services on the
gateway (Firewall-1).
It is only running NAT (hide) on the Firewall.
From internal network client, I can ping, tracert, lookup external internet
website and public ip address by FQDN.
But from IE in client computer, I can not open the web page, even I entered
website ip address directly in the IE address bar.
Is there some special setting for HTTP access though checkpoint firewall
gateway?
Any tips will be apprecicated.
Thanks,
Kenny
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.528 / Virus Database: 324 - Release Date: 10/16/2003
Richard H Miller
2003-10-20 19:39:39 UTC
Permalink
Beoweolf (Beoweolf-***@pacbell.net) wrote:
: What are your rules? Did you verify / install after configuring?
: What is in the log?


: "Kenny" <***@hotmail.com> wrote in message
: news:***@posting.google.com...
: > Hi,
: >
: > I encountered a problem when I setup Checkpoint Firewall-1 NG on the
: > network.
: >
: > For easy to identify the problem, I enabled "any" "any" services on the
: > gateway (Firewall-1).
: >
: > It is only running NAT (hide) on the Firewall.

here is the key right here. You say only hide mode NAT is configured. Any machine
that is offering a service that is based on a specific IP/Port must use static mode
NAT. Define the WEB server inside with a static NAT address.

Also, as a rule, *never* do any/any/accept. Use a any/any/deny/log to see what you
are denying but do not let it through.



: >
: > From internal network client, I can ping, tracert, lookup external
: internet
: > website and public ip address by FQDN.
: >
: > But from IE in client computer, I can not open the web page, even I
: entered
: > website ip address directly in the IE address bar.
: >
: > Is there some special setting for HTTP access though checkpoint firewall
: > gateway?
Chris
2003-10-20 20:39:20 UTC
Permalink
Post by Richard H Miller
: What are your rules? Did you verify / install after configuring?
: What is in the log?
: > Hi,
: >
: > I encountered a problem when I setup Checkpoint Firewall-1 NG on the
: > network.
: >
: > For easy to identify the problem, I enabled "any" "any" services on the
: > gateway (Firewall-1).
: >
: > It is only running NAT (hide) on the Firewall.
here is the key right here. You say only hide mode NAT is configured. Any machine
that is offering a service that is based on a specific IP/Port must use static mode
NAT. Define the WEB server inside with a static NAT address.
I think that he is trying to access web pages on the internet from a client
machine behind the firewall, not access a web server behind the firewall
from the outside. If this is the case then hide mode is the method to NAT
all the outgoing traffic from the internal network.

Kenny, is this what you are trying to do?

Chris.
Richard H Miller
2003-10-20 21:25:41 UTC
Permalink
Chris (***@nospam.com) wrote:

: "Richard H Miller" <***@bcm.tmc.edu> wrote in message

: > here is the key right here. You say only hide mode NAT is configured. Any machine
: > that is offering a service that is based on a specific IP/Port must use static mode
: > NAT. Define the WEB server inside with a static NAT address.
: >

: I think that he is trying to access web pages on the internet from a client
: machine behind the firewall, not access a web server behind the firewall
: from the outside. If this is the case then hide mode is the method to NAT
: all the outgoing traffic from the internal network.

: Kenny, is this what you are trying to do?


Re-reading it is hard to tell. Your reading may be correct. If so, the question is
what version of Checkpoint NG are you running and what type of platform is it on. There
are ARP and routing issues. How did you configure the NAT?

rick
Kenny
2003-10-21 14:45:24 UTC
Permalink
Hi All,

Thanks for all of tips.

I was going to test LAN users access internet though CP Firewall using
Dynamic NAT (Hide).

After I checked traffic log in firewall and Client end proxy setting,
I found there is a MS proxy Client in the testing computer,
so, HTTP request has been forced to another proxy server which we disconnected.

Thanks for all again.

Kenny
Post by Richard H Miller
: > here is the key right here. You say only hide mode NAT is configured. Any machine
: > that is offering a service that is based on a specific IP/Port must use static mode
: > NAT. Define the WEB server inside with a static NAT address.
: >
: I think that he is trying to access web pages on the internet from a client
: machine behind the firewall, not access a web server behind the firewall
: from the outside. If this is the case then hide mode is the method to NAT
: all the outgoing traffic from the internal network.
: Kenny, is this what you are trying to do?
Re-reading it is hard to tell. Your reading may be correct. If so, the question is
what version of Checkpoint NG are you running and what type of platform is it on. There
are ARP and routing issues. How did you configure the NAT?
rick
Loading...