I use static arp's instead of router routing entries, but I think you're
missing an static route on the fw-1 itself:
# route add _translated_address_ _original_address_ 1
(if you're using unix).
Regarding the ruleset, you don't have to allow anything *from* the web
server (if that is all it does); use:
src ANY, dst www-external, service http, https, allow
You'll find all this and much more at Phoneboy's FW-1 FAQ
http://www.phoneboy.com/fw1/
Hope this helps
Joe McLeod wrote:
>
> I have been fighting with FW-1 for a few weeks in order to get address
> translation working for a protected web server. I have two translations ;
> one for our users where an address range is translated and one for the web
> server, using a single address, for which we wish to allow certain traffic
> through.
>
> For the web server, I created a host object with the private address and
> enabled the automatic translation rules with its public address. For
> testing, I have set the policy rules to allow any traffic. When I try to
> connect, a browser will tell me that it can't establish a session. Also,
> the web server can establish client connects out to other global servers.
>
> If, on the other hand, I establish a server on one of the user addresses and
> allow traffic thorugh to it, it works without fail.
>
> >From our gateway router, I have a /32 routed to the firewall's external
> interface for the web server and a /26 for the user translations.
>
> On the firewall, both subnets have a route entry pointing to the internal
> interface.
>
> Help?
>
> Thanks,
>
> Joe McLeod
> Group Engineer, Advanced Services
> Charter Communications
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
--
Rui Pedro Bernardino / Av. Miguel Bombarda, 4, 8o / 1049-058 Lisboa /
Portugal
The modern child will answer you back before you've said anything.
-- Laurence J. Peter
S/MIME Cryptographic Signature
