Is the CP FW a NT box, a Sun Box, or a Nokia Appliance? A way to confirm that it is the Firewall itself, and not the routing functionality of the platform, shutdown CP with the option to allow IP forwarding while the Firewall is down.
If you then get full two-way connectivity and communication, I would say it's a FW rule, or CP bug that needs to be addressed with updating CP with the most current Service Pack. I used to manage a network that used NT as the platform, and then the Nokia Appliance as the platform with a couple of Sun boxes (also running as Firewalls) mixed in, and I never had any problems doing what your describing. It was always just a matter of making sure you had your rules straight. IPSO and NT (the Operating Systems) were pretty solid as far as IP forwarding was concerned. If you are running CP on a Sun box, you might want to verify it's routing table.... That's a more complicated bear, if you don't understand how to configure the network parameters on a sun box...(it took me a couple of hours and re-reading the man pages to finally figure out that problem :)) HTHs Mark Odette II StellarConnection Services -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tim Begley Sent: Saturday, December 15, 2001 5:32 AM To: [EMAIL PROTECTED] Subject: incomplete ARP table - one for the X files [7:29283] Hi - I've come across something strange (strange to me anyway)when deploying a router on lan segment with a checkpoint fw. I can 'fix' the problem but I have no idea what is causing it. If somebody could enlighten me I'd appreciate it. The scenario is: There is a 1720 that has a static route configured to route a particular subnet or address via the address of the checkpoint fw interface on that lan segment (very complicated stuff I know but stay with me ;-) ). Now this is where the funny business starts - you attempt to get end to end connectivity to the host you are trying to get to on the other side of the Checkpoint and it won't work. 1. Do a debug ip packet detail and you get encapsulation failed... 2. Look at the arp table on the 1720 and there are 2 complete arp entries - 1 for fe0 and 1 for the checkpoint. THERE IS ALSO AN INCOMPLETE ENTRY FOR THE HOST ON THE OTHER SIDE OF THE FIREWALL (which of course is on a different subnet). 3. Scratch head and frown 4. Try a static arp entry mapping the ip address of the host on the other side of the firewall to the MAC address of the firewall and presto it works! I've run into this situation a few times now and the there is always a checkpoint involved so I'm guessing that it may have something to do with the routing capability of the checkpoint? I know that this is a cisco discussion group but I think this is still fairly relevant. Any advice much appreciated - Tim Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29296&t=29283 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
