Just my 2 cents, but anytime I have ever had to change anything on ANY of the interfaces on our IP380, I've had to reboot the device because the ARP table doesn't seem to match up correctly. Even if I unplug a switch thats directly connected to a single interface on it, I have to reboot the 380. This is always a last step in any kind of work I've done to my setup. Luckily its rare. Anyway, I assume you haven't tried to reboot the FW yet as its not mentioned anywhere.
-Lyle -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of heinz zerbes Sent: Wednesday, December 01, 2004 6:45 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] weird ipso problem On Wed, 2004-12-01 at 22:49, Joao Santos wrote: > Hi. Had to do it. the firewall is not the default gateway for the LAN > and I don't have control over the default gateway (another router). So > to make things easier I decided it was best to have the firewall > answer the IP address and use NAT. > > Here is the deal: > > my LAN is 192.168.2.0 , dmz is 10.1.2.0 firewall LAN ip is > 192.168.2.190 at interface eth-s1p2c0 and DMZ is 10.1.2.10 at > interface eth3c0 moved the router in question from the LAN address > 192.168.2.95 to DMZ address 10.1.2.7 > > It was working ok for my lan, but the default gateway 192.168.2.1 > wouldn't do ARP to get the new mac address, then I decided to > rollback. Itīs still a bit confusing what you actually did and how you "rolled it back" so I can only guess... 192.168.2.1 is the default gw for the LAN? Your fwīs IF is the .190 in that subnet? Is there a third or a fourth network connected? Did you triple check the netmasks? What routers are you using, Cisco, D-Link, Extreme? Try to get the router admin to check its arp table right after your test. What exactly was working ok for your LAN and what wasnīt working? You moved the router with the IP 192.168.2.95 to the DMZ, which is the 10.2.1 network and then wanted the FW to answer for the original address 192.168.2.95 on eth-s1p2c0 and NAT that one into your DMZ on eth3c0? What was your NAT rule here? Orig-Src, Orig-Dst, translated-src, translated-dst ? Basically, you canīt move a router to a different IF, and expect the FW to answer requests for this IP and at the same time NAT just those packets to the router... You would either have to change the IP address of the router or the gw address that the FW should DST-NAT towards the router. 192.168.2.1 will arp for the MAC address once its internal MAC cache has expired, which is usually around one minute. However, the FW would have to respond to it with a static proxy ARP entry. Itīs surely not a supported setup and might cause other sorts of problems down the track. You would also have to set a static host route on the fw for the router that you moved, pointing to your DMZ-IF. > > Problem is.. when I do netstat -r the firewall shows the router IP as > 192.168.2.95 with the correct MAC address but at eth3c0 interface, > like it was in the DMZ. netstat -r doesnīt give you a MAC address... The same arp cache expiration applies for the fw. You can delete an arp entry manually with arp -d if needed. > > This means that my lan and the default gateway (which leads to a WAN) > can access this router no problem, but whatever is "routed" thru my > firewall won't work. Even the firewall itself can't ping the > 192.168.2.95 IP. Isnīt this address 192.168.2.95 the one you wanted to NAT (as Orig-DST)? Then the firewall is not broadcasting for its MAC but expects other machines to try and access it. > > Any suggestions? Should I do a route flush or restart the firewall? A route flush will remove all entries from your routing table and sets up just the routes for the directly connected networks. This rarely helps. A reboot definitely helps you to have a somewhat "clean" starting point again, but donīt expect your entangled setup to all of sudden "work". Good luck, heinz ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
