You don't need to add manual arp entries. Go into Global Properties ->
NAT and make sure the defaults are selected, which is all of them (but
the 'automatic arp configuration' is what's important here). It will
create arps for both automatic nat and manual nat.
HTH,
Bill
-----Original Message-----
From: Phil Wang [mailto:philw AT ALLCOMNETWORKS.COM DOT AU]
Sent: Wednesday, October 06, 2004 4:40 AM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] Proxy ARP not working with manual NAT with Secure
Platform NG AI R55
Hi All,
I have installed a NG AI R55 on a SPLAT. I noticed that the f/w doesn't
response to manual NAT ruled IP address. I have setting as follows:
f/w interaces:
Ext: 202.x.x.1/27
Int: 192.168.1.1/24
DMZ: 10.10.1.1/24
Mail Server: 192.168.1.9
DMZ Server: 10.10.1.11
There requirements are
1. nat mail server to 202.x.x.9 on SMTP port 25
2.1 nat DMZ server to 202.x.x.11 on HTTPS port 443
2.2 nat DMZ server to 202.x.x.21 on HTTPS port 443 with port redirction
to tcp port 442.
First I added three arp entries for these 3 IP addresses respectively.
Then I created two automatic NAT rules for requirement 1 and 2.1 and one
manual NAT rule for 2.2. Both automatic rules are working fine but seems
the f/w is not responding the arp query to the manual NATed IP
202.x.x.21.
I see all arp entries with arp command but only see two automatic NATed
arp entries with fw ctl arp. Also, went through some doc found online,
tried to add a specific route of 202.x.x.21 with gw to 10.10.1.12. Did
not work either.
Another thing I tried is to use mapped https and I found if I use the
f/w address 202.x.x.1 instead of 202.x.x.21. It workes. With
202.x.x.21(and the arp entry added in), no luck either.
I have got SPLAT has some proxy arp issues needs to add arp entry and
specific route. Now it seems proxy arp works only with automatic NAT
rules but not manaul NAT rule. Anyone has seen this issue before?
Thanks,
Phil
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
Please note that:
1. This e-mail may constitute privileged information. If you are not the
intended recipient, you have received this confidential email and any
attachments transmitted with it in error and you must not disclose, copy,
circulate or in any other way use or rely on this information.
2. E-mails to and from the company are monitored for operational reasons and in
accordance with lawful business practices.
3. The contents of this email are those of the individual and do not
necessarily represent the views of the company.
4. The company does not conclude contracts by email and all negotiations are
subject to contract.
5. The company accepts no responsibility once an e-mail and any attachments is
sent.
http://www.integralis.com
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
