15.7.4. Cannot access Internet from behind firewall

I compiled and activated firewall policy, but workstations behind the firewall still cannot access the Internet.

Here are few troubleshooting steps:

  • Make sure you compiled, then installed and activated firewall policy. Were there any errors during compile and activation?

  • check if ip forwarding is turned on (pull down menu in the "Network" tab of the firewall object dialog).

  • try to ping hosts on the Internet by their IP address, not their name. This helps isolate DNS problems. If you can ping by address but can't ping by name, then you need to add policy rules to permit DNS queries.

  • Look in firewall's log for records indicating that it drops packets. Error in the policy design can cause it to block connections that you really want to go through.

  • Use option "Log everything" to make all rules generate log entries, this sometimes helps pinpoint a rule that drops packets.

Things to check in the policy:

  • Check if you have a NAT rule if your protected network is using "private" IP addresses.

  • If the NAT rule is there, then you may need to add a policy rule to actually permit connections from the protect network.

  • In case when NAT is not used, check if the routing is configured properly. If your firewall separates subnets A and B, and you are trying to connect from the host on subnet A to the host on subnet B, then both hosts should have routing to the opposite network. Host on the net A needs a route for the net B, pointing at the firewall. Similarly, host on the net B needs a route for the net A, also pointing at the firewall. If one (or both) host has a default route pointing at the firewall, then it won't need a special route for another network.


Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
 Using free CSS Templates.