Re: IBM Secureway Firewall 4.1

[trall () almaden ibm com]

(Note - I have absolutely no experience with the NT firewall product.)

> From the description it doesn't sound like a firewall or dns problem - it
sounds like a routing problem.  What is the output from "netstat -nr".
Make sure it shows the default route (the route to 0.0.0.0) going out your
world interface to your ISP's router (which it should).

If it's a firewall issue, you should be able to determine the firewall rule
that is blocking the traffic from your logs (at least you can on the Aix
firewall).  In general, it is a good idea to closely examine your logs when
setting up a firewall, especially if it is not allowing traffic that you
think it should.

Tony Rall


mrivera () mminet com@lists.nfr.net on 03/07/2000 05:13:27

Sent by:  owner-firewall-wizards () lists nfr net


To:   firewall-wizards () nfr net

I,m pretty new to the firewall world and am having trouble setting up
Secureway
on NT.  Our goal is to migrate an existing (working) AIX IBM eNetwork
firewall
v3.2 over to NT running Secureway 4.1.  I've installed NT server, DNS
services,
SP5 and the firewall config client.  I manually recreated all of the rules
that
I simply documented from the AIX firewall.  I have three interfaces: World,
DMZ
and Secure - all are configured with the same IP addresses as our existing
AIX
firewall.  I've recreated the routing tables on NT.  On the AIX firewall,
we
somehow had it configured so that we did not need an internal DNS server -
DNS
is our secure interface on the firewall.  With NT's version we're going to
require an internal DNS server, an external DNS server and the firewall
itself
will act as a "cache-only" DNS server.  When I bring our exisiting Firewall
down
to test the NT firewall, this is what I get:

With rules deactivated:

I can ping our AT&T router - World
I can ping our DMZ
I can ping both network segments on ou secure side
I'm not able to ping beyond AT&T router to an address that a friend has
ping
enabled from outside world - I'm not sure if I'm supposed to be able to do
this???


With rules activated:

I'm able to ping both network segments on our secure network
I'm NOT able to ping AT&T router
I'm NOT able to ping DMZ

I thought maybe it was a DNS problem - we just setup a DNS server and tried
using it with this Firewall.  A friend suggested that DNS would not be the
problem if I was not able to ping addresses beyond our AT&T router that
allowed
pings from outside.  He gave me an address of his to test this.  Since ping
was
unsuccesful - I haven't a clue where do go from here.  Help!