Could you please explain how your policies are setup ? Do you see any logging on this ?

 

I asume the device in trust has a DG pointing to eth1 and the solaris server is the dns server ?

Sorry I should have been more clearer. From trust to untrust - I have allowed all the traffic to go through. For inbound I am allowing all traffic from Untrust to trust to come through (Eventually my goal is to only allow 72.xx.xxx.xxx/13 to come through).

Solaris is the web server connected to eth1. The DNS server is on the Internet cloud outside. I will have to check on the logging and get back to the forum.


What surprised me most was even after setting up the policy to accept all inbound and outbound traffic the firewall is dropping packets!

Thanks

Do you have MIP's configured on the firewall?  Is the Trust interface setup in NAT mode (default) or Route mode?

 

 

If you have MIP's on the eth3, your policy needs to read from : untrust to trust any mip(73.x.x.x) dns permit.

 

 

Thanks for your replies above. I am starting it over again from the very basic.

 

The following are the interfaces:

ethernet1: Static Ip/Netmask:10.100.2.183/16

                   zone:trust

                   Interface Mode:NAT

 

ethernet3:  Static Ip/Netmask:72.85.***.**/13

                    zone:untrust

                    VIP:72.85.***.** (This is the registered public domain name of my web server and is on the same network as untrust!)

 

The policies are:

Untrust to Trust:  Source:Any

                              Destination:Any

                             Service:Any

Untrust to Trust:  Source:Any

                              Destination:VIP(72.85.***.**)

                             Service:Any

                             Action:Permit

 

Trust to Untrust:  Source:Any

                              Destination:Any

                             Service:Any

 

I am running a web server with private IP address 10.100.2.184. Its public domain name is registered with IP address of 72.85.***.** which is in the same network as the untrust. I can ping from 10.100.2.184 to 72.85.***.** but not to the DNS server. Also, when I ping from  72.85.***.** to 10.100.2.184, it is not responding. 

 

The System Log Event shows the policies I have modified and is not very informative. There is no MIP configured on the firewall.

 

 

Also, I can see the following message on the most recent alarms:

 

2003-11-21 20:59:30  crit VIP server 10.100.2.84 cannot be contacted.
2003-11-20 22:06:59  crit DNS server is not configured.
2003-11-20 22:06:59  crit DNS server is not configured.
2003-11-20 22:06:59  crit DNS server is not configured.
2003-11-20 22:06:59  crit DNS server is not configured.

 

I am relatively new to this so I appreciate your patience. I will try to supply more details.

 

Thanks

The first policy will never work, the trust interface is in NAT mode for one.  The second policy is using a VIP (MIP's are preffered).  VIP's are used for what some call port forwarding.  As it appears that you have a /13 you should be using MIP's.  Remove the second policy, remove the VIP, and then create a MIP.  Then recreate the incoming policy using that new MIP.  If you allow ping from untrust to trust using that MIP, then it will respond.  The CLI would look like this:

 

set policy from untrust to trust any MIP(72.85.***.**) http permit log

 

Then once that policy is created, HTTP should be allowed, then you can add up to 32 service objects against that policy.

 

 

 Let's start there and get your head wrapped around this initial problem.  Please consider reading the Concepts and Examples for initial configuration of your box.

 

Besides the fact that a MIP would be more suitable in the case of a /13 (that is, if you can use those addresses) a VIP should work.

The first policy is actually in the way for the second policy to work. Basic rule of most firewalls is that the policies/rules are processed sequentially. Meaning the first rule is accepting all the traffic while not translating anything to the private IP address (you need a MIP or VIP in the policy for that). So the second rule which contains the translation doesn't recieve the traffic, because it is already processed on rule 1.

 

What does the configuration of you VIP look like ? (under interfaces -> untrust -> VIP).

Clearly it would work, but you have a limited number of VIP's.  And if someone is new to configuring the device, then it's cleaner and easier to begin to understand MIP's.

Like you guys suggested, I deleted the first 2 policies (including VIP) and set MIP (72.85.***.**) on ethernet3.

 

Now I can ping from outside side host to the 10.100.2.184. But when I ping from 10.100.2.184 to the outside it is failing. My current policy for the outbound traffic (Trust to Untrust) is

 

Source: Any

Destination: Any

Service: Any

NAT: Enabled