Re: [FW-1] Proxy ARP not working with manual NAT with Secure Plat form N

Subject:	Re: [FW-1] Proxy ARP not working with manual NAT with Secure Plat form NG AI R55
From:	"Previtera, Sal" <Sal.Previtera AT WTH DOT ORG>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Wed, 6 Oct 2004 08:26:33 -0500

This command will turn Proxy_ARP on all interfaces on SPLAT;

Edit \etc\sysctl.con
Then add the following lines

net.ipv4.conf.all.proxy_arp = 1
net.ipv4.conf.default.proxy_arp = 1

you have to still add all routes for static NAT(s)

Regards,
Sal.

-----Original Message-----
From: Steve Loughran [mailto:stevelml1 AT SCEE.SONY.CO DOT UK]
Sent: Wednesday, October 06, 2004 5:27 AM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] Proxy ARP not working with manual NAT with Secure
Platform NG AI R55

I ran into this exact same problem yesterday. I had added ARP entries, and
routes from external ARPd IPs to the DMZ IPs, but still no go.

The problem is that Linux will not proxy ARP unless you enable it. I had to
add the following line to my /etc/rc.d/rc.local script

    echo 1 >/proc/sys/net/ipv4/conf/eth0/proxy_arp

where you should replace the "eth0" part with the name of theNIC you want to
proxy ARP on.


This may help too:

http://msgs.securepoint.com/cgi-bin/get/fw1-0409/21/1.html

Steve

----- Original Message -----
From: "Phil Wang" <philw AT ALLCOMNETWORKS.COM DOT AU>
To: <FW-1-MAILINGLIST AT amadeus.us.checkpoint DOT com>
Sent: Wednesday, October 06, 2004 9:39 AM
Subject: [FW-1] Proxy ARP not working with manual NAT with Secure Platform
NG AI R55


> Hi All,
>
> I have installed a NG AI R55 on a SPLAT. I noticed that the f/w doesn't
> response to manual NAT ruled IP address. I have setting as follows:
>
> f/w interaces:
> Ext: 202.x.x.1/27
> Int: 192.168.1.1/24
> DMZ: 10.10.1.1/24
>
> Mail Server: 192.168.1.9
> DMZ Server: 10.10.1.11
>
> There requirements are
> 1. nat mail server to 202.x.x.9 on SMTP port 25
> 2.1 nat DMZ server to 202.x.x.11 on HTTPS port 443
> 2.2 nat DMZ server to 202.x.x.21 on HTTPS port 443 with port redirction
> to tcp port 442.
>
> First I added three arp entries for these 3 IP addresses respectively.
> Then I created two automatic NAT rules for requirement 1 and 2.1 and one
> manual NAT rule for 2.2. Both automatic rules are working fine but seems
> the f/w is not responding the arp query to the manual NATed IP
> 202.x.x.21.
> I see all arp entries with arp command but only see two automatic NATed
> arp entries with fw ctl arp. Also, went through some doc found online,
> tried to add a specific route of 202.x.x.21 with gw to 10.10.1.12. Did
> not work either.
> Another thing I tried is to use mapped https and I found if I use the
> f/w address 202.x.x.1 instead of 202.x.x.21. It workes. With
> 202.x.x.21(and the arp entry added in), no luck either.
>
> I have got SPLAT has some proxy arp issues needs to add arp entry and
> specific route. Now it seems proxy arp works only with automatic NAT
> rules but not manaul NAT rule. Anyone has seen this issue before?
>
>
> Thanks,
>
> Phil
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
Re: [FW-1] Proxy ARP not working with manual NAT with Secure Plat form NG AI R55, Previtera, Sal <= Re: [FW-1] Proxy ARP not working with manual NAT with Secure Plat form NG AI R55, Previtera, Sal [FW-1] fyi: fw1 support for DH groups 14-18, Reinhard Stich Re: [FW-1] Proxy ARP not working with manual NAT with Secure Plat form NG AI R55, Previtera, Sal Re: [FW-1] Proxy ARP not working with manual NAT with Secure Plat form NG AI R55, Phil Wang

Previous by Date:	[FW-1] SecuRemote NG - R56, Build: 269 using DSL with dynamic WAN adress es, "Fischer, Jürgen, 3414"
Next by Date:	[FW-1] Intercept, Erin Young
Previous by Thread:	[FW-1] SecuRemote NG - R56, Build: 269 using DSL with dynamic WAN adress es, "Fischer, Jürgen, 3414"
Next by Thread:	Re: [FW-1] Proxy ARP not working with manual NAT with Secure Plat form NG AI R55, Previtera, Sal
Indexes:	[Date] [Thread] [Top] [All Lists]