Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[FW-1] Hiding NAT with Proxy ARP

from Markus Hofbauer [Permanent Link]
Subject: [FW-1] Hiding NAT with Proxy ARP
From: Markus Hofbauer <ho AT BACHER DOT AT>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Sun, 24 Aug 2003 21:23:35 +0200 
Hi,

I'm sure most of the guy's on this list know that it's possible to use a
differtent IP address than the Firewall-IP address for Hiding NAT:

        10.1.1.0/24
        --------------
                |
                | Hiding-NAT for
                | 192.168.0.0/24 & 192.168.1.0/24: 10.1.1.2
                |
                |10.1.1.1
         /-------------\                                 192.168.1.0/24
        |       FW      |-------------------------------------------------
         \-------------/
                |192.168.0.1
                |
        -------------------
        192.168.0.0/24


This works fine on Solaris. Last week I notices that this scenario does not
work any more on SecurePlatform AI ClusterXL (New Mode HA Broadcast).

Started some debugs and found out that the active machine does not answer
the arp-requests for the address 10.1.1.2. Double checked the arp entry on
the machine (created with arp -s 10.1.1.2 <HW-Address> pub).

After some searches through the lists I found out that a route to the
destination
is necesary to get this working.
e.g. route add -host 10.1.1.2 gw <destination>

Hmm...

How to set this route in the network-topo shown above? There is no clear
destination...

I've tried to set an interface-route: route add -host 10.1.1.2 dev eth0
This seems to work but I'm sure this is not the official solution for this.

Has anyone this kind of config up and running? Thanks for any hints.

Greetz,
Markus

--
Markus Hofbauer, IT-Service / Security
Bacher Systems EDV GmbH, Wienerbergstr. 11B, A-1101 Wien, Austria
phone: +43 (1) 60 126-34 | fax: +43 (1) 60 126-4
e-mail: markus.hofbauer AT bacher DOT at | web: www.bacher.at



=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [FW-1] Follow-up questions - Re: [FW-1] Management Station not listening on tcp/257, Shawn Duffy
Next by Date:  Re: [FW-1] Hiding NAT with Proxy ARP, Laidlaw, Rob
Previous by Thread:  [FW-1] NEVERMIND Re: [FW-1] icmp packet drops?, Matt Kehler
Next by Thread:  Re: [FW-1] Hiding NAT with Proxy ARP, Laidlaw, Rob
Indexes:  [Date] [Thread] [Top] [All Lists]