Random thoughts:
1/ Running fw monitor, what behaviour were you seeing with the auto
NAT not working? Do those NATs require proxy ARP entries in place?
When they were making external connections, was the traffic being
passed, without the source being NATted? Or was traffic not being
passed at all? Anything from tcpdump/fw monitor that was relevant?
What about changing to manual NAT rather than automatic NAT?
2/ After configuring the proxy ARP, did it show up properly in your
ARP tables? What about the upstream router? Was it getting the right
entry? Had it's ARP cache been cleared since you replaced the firewall?
3/ Could be DNS-related. Do you have any DNS servers configured on
the R55 server? Are they reachable from the firewall?
On 31 Oct 2005, at 07:28, Alan Choyna wrote:
Hey people,
Just attempted to go live with a new SPLAT (on HP DL360) server
running NG AI R55 HFA09 which l had upgraded (using export/import)
from our Nokia IP440 running NG FP3. The management station and
gateway is on the same server (both old and new servers).
The pre-upgrade verifier gave the thumbs up, with no issues
highlighted (conflicting services on some minor ports being the
exception).
After doing the import, l added the routes, updated the ethernet
adapter names on the FW object, etc, and then manually modified the
$FWDIR/lib/base.def file to correct a high port FTP error one of
our other SPLAT NG AI R55 HFA09 servers had. l then looked over all
rules and object to ensure all had migrated ok.
The swap over seemed to go very smoothly. VPN tunnels came up fine.
Rules seemed to be fine, remote users could VPN in fine, everything
except for 3 problems:
1) The 2 servers that were NAT'd to the outside world using
the automatic address translation were not able to access the
outside world, nor could the outside world access these 2 servers.
2) One server that had a proxy arp address on the Nokia
voyager interface on the FP3 box, could not be accessed, even after
doing the /etc/ethers & /etc/rc.local mods (very cumbersome) on the
R55 server.
3) The tracker interface was very slow updating log records,
sometimes showing up to 10 - 20 seconds after the request.
We even upgraded to HFA16, which resolved none of these issues.
Our checkpoint support worked on these for 2 hours, trying to
assist us in solving them to no avail, so l was hoping one of you
guru's may have experienced at least one of these issues and could
hopefully shed some light.
The support guy said that the issue seemed to be with NAT not
working properly on the 2 servers with the automatic address
translation, yet working fine on other externally facing servers
which had manual NAT rules (with limited IP's at the site, we had
to expose multiple internal servers to 1 external IP using port
translation to get around it). He said that it reminded him of a
NAT issue encountered with FW1 3.0.
Any advice would be greatly appreciated. Thanks in advance.
Alan
Alan C. Choyna
Senior Consultant
Pathfinder Associates, LLC
<http://www.pathfinderassoc.com/>http://www.pathfinderassoc.com
Internet Strategy Business Consultants
<mailto:achoyna AT pathfinderassoc DOT com>mailto:achoyna@pathf<mailto:achoyn
a AT pathfinderassoc DOT com>.com
Business telephone (312) 372-1058. Mobile (773) 255-6662
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
