I have get this sorted. Thanks all you guys,especially Sal and Steve who
provided the below solutions. This is what I have done.
Both two ways work,
A: Edit \etc\sysctl.conf. Then add the following lines:
net.ipv4.conf.all.proxy_arp = 1
net.ipv4.conf.default.proxy_arp = 1
B: Configure the Linux kernel to enable proxy arp with the followings:
echo 1 > /proc/sys/net/ipv4/conf/<if_name>/proxy_arp
<if_name> is the name of the external interface that will perform the
proxy arping.
Also, I have added the followings:
1. manual NAT rules with both directions.
2. security rule (any to destination only in my case, no connection is
required to be initialised from DMZ server)
3. ARP entry for the translated IP.
4. Specific route pointing the translated IP (public) to the DMZ server
IP (private)
All tested and worked. Will do cut over tonite. My understanding is a
successful connection requires either A or B plus all 4 items.
Also, does anyone know where I can go to get some material about Secure
Platform/Linux command reference as used above? Just in cases for the
future.
Thanks again,
Phil
-----Original Message-----
From: Previtera, Sal [mailto:Sal.Previtera AT WTH DOT ORG]
Sent: Thursday, 7 October 2004 11:26 PM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] Proxy ARP not working with manual NAT with Secure
Plat form NG AI R55
Have you tried this;
This command will turn Proxy_ARP on all interfaces on SPLAT;
Edit \etc\sysctl.conf
Then add the following lines
net.ipv4.conf.all.proxy_arp = 1
net.ipv4.conf.default.proxy_arp = 1
you still have to add all the routes for static NAT(s), if it is not
visible
from the Gateway point of view, the next hop should be the router
interface.
Regards,
Sal.
-----Original Message-----
From: Phil Wang [mailto:philw AT ALLCOMNETWORKS.COM DOT AU]
Sent: Wednesday, October 06, 2004 6:42 PM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] Proxy ARP not working with manual NAT with Secure
Platform NG AI R55
I have done both from the every beginning of destination client side and
automatic arp configuration, but not seem to be working.
Cheers,
Phil
-----Original Message-----
From: William Iselin [mailto:William.Iselin AT INTEGRALIS DOT COM]
Sent: Wednesday, 6 October 2004 11:36 PM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] Proxy ARP not working with manual NAT with Secure
Platform NG AI R55
You don't need to add manual arp entries. Go into Global Properties ->
NAT and make sure the defaults are selected, which is all of them (but
the 'automatic arp configuration' is what's important here). It will
create arps for both automatic nat and manual nat.
HTH,
Bill
-----Original Message-----
From: Phil Wang [mailto:philw AT ALLCOMNETWORKS.COM DOT AU]
Sent: Wednesday, October 06, 2004 4:40 AM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] Proxy ARP not working with manual NAT with Secure
Platform NG AI R55
Hi All,
I have installed a NG AI R55 on a SPLAT. I noticed that the f/w doesn't
response to manual NAT ruled IP address. I have setting as follows:
f/w interaces:
Ext: 202.x.x.1/27
Int: 192.168.1.1/24
DMZ: 10.10.1.1/24
Mail Server: 192.168.1.9
DMZ Server: 10.10.1.11
There requirements are
1. nat mail server to 202.x.x.9 on SMTP port 25
2.1 nat DMZ server to 202.x.x.11 on HTTPS port 443
2.2 nat DMZ server to 202.x.x.21 on HTTPS port 443 with port redirction
to tcp port 442.
First I added three arp entries for these 3 IP addresses respectively.
Then I created two automatic NAT rules for requirement 1 and 2.1 and one
manual NAT rule for 2.2. Both automatic rules are working fine but seems
the f/w is not responding the arp query to the manual NATed IP
202.x.x.21.
I see all arp entries with arp command but only see two automatic NATed
arp entries with fw ctl arp. Also, went through some doc found online,
tried to add a specific route of 202.x.x.21 with gw to 10.10.1.12. Did
not work either.
Another thing I tried is to use mapped https and I found if I use the
f/w address 202.x.x.1 instead of 202.x.x.21. It workes. With
202.x.x.21(and the arp entry added in), no luck either.
I have got SPLAT has some proxy arp issues needs to add arp entry and
specific route. Now it seems proxy arp works only with automatic NAT
rules but not manaul NAT rule. Anyone has seen this issue before?
Thanks,
Phil
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
Please note that:
1. This e-mail may constitute privileged information. If you are not the
intended recipient, you have received this confidential email and any
attachments transmitted with it in error and you must not disclose,
copy, circulate or in any other way use or rely on this information.
2. E-mails to and from the company are monitored for operational reasons
and in accordance with lawful business practices.
3. The contents of this email are those of the individual and do not
necessarily represent the views of the company.
4. The company does not conclude contracts by email and all negotiations
are subject to contract.
5. The company accepts no responsibility once an e-mail and any
attachments is sent.
http://www.integralis.com
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
