Hi all, I believe what your are seeing is called "proxy arp". Unix and Ms handle this differently. The firewall will proxy arp for the client on the inside of the firewall. This means that you must tell the firewall that when the router does a broadcast for the arp of a virtual ip to answer with it's own MAC address. This is what provides the connectivity on a checkpoint firewall for internal static NAT clients.
THis is because Checkpoint does not use "native" ms/unix ware for publishing these ip's. In other words you don't add an address to the unix/nt boxes with your standard system commands. Consequently, you must tell the firewall explicitly to do this functionality via - unix (route add / arp -s) commands with a startup script. In NT you must add static routes and creat the local.arp file. IN addition with NT, because it doesn't handle proxy arp very well you must route the packets directly to the outside interface of the firewall. ie a host route on your router routing outside virtual ip to the outside "real" address of the firewall interface. You don't see this with other firewalls, such as gauntlet for NT as you add virtual ip's using network neighbourhood, so NT handles the proxy arp for you without any additional config. Hope this helps, ciaron -----Original Message----- From: Mark Odette II To: [EMAIL PROTECTED] Sent: 12/15/01 6:19 PM Subject: RE: incomplete ARP table - one for the X files [7:29283] Is the CP FW a NT box, a Sun Box, or a Nokia Appliance? A way to confirm that it is the Firewall itself, and not the routing functionality of the platform, shutdown CP with the option to allow IP forwarding while the Firewall is down. If you then get full two-way connectivity and communication, I would say it's a FW rule, or CP bug that needs to be addressed with updating CP with the most current Service Pack. I used to manage a network that used NT as the platform, and then the Nokia Appliance as the platform with a couple of Sun boxes (also running as Firewalls) mixed in, and I never had any problems doing what your describing. It was always just a matter of making sure you had your rules straight. IPSO and NT (the Operating Systems) were pretty solid as far as IP forwarding was concerned. If you are running CP on a Sun box, you might want to verify it's routing table.... That's a more complicated bear, if you don't understand how to configure the network parameters on a sun box...(it took me a couple of hours and re-reading the man pages to finally figure out that problem :)) HTHs Mark Odette II StellarConnection Services -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tim Begley Sent: Saturday, December 15, 2001 5:32 AM To: [EMAIL PROTECTED] Subject: incomplete ARP table - one for the X files [7:29283] Hi - I've come across something strange (strange to me anyway)when deploying a router on lan segment with a checkpoint fw. I can 'fix' the problem but I have no idea what is causing it. If somebody could enlighten me I'd appreciate it. The scenario is: There is a 1720 that has a static route configured to route a particular subnet or address via the address of the checkpoint fw interface on that lan segment (very complicated stuff I know but stay with me ;-) ). Now this is where the funny business starts - you attempt to get end to end connectivity to the host you are trying to get to on the other side of the Checkpoint and it won't work. 1. Do a debug ip packet detail and you get encapsulation failed... 2. Look at the arp table on the 1720 and there are 2 complete arp entries - 1 for fe0 and 1 for the checkpoint. THERE IS ALSO AN INCOMPLETE ENTRY FOR THE HOST ON THE OTHER SIDE OF THE FIREWALL (which of course is on a different subnet). 3. Scratch head and frown 4. Try a static arp entry mapping the ip address of the host on the other side of the firewall to the MAC address of the firewall and presto it works! I've run into this situation a few times now and the there is always a checkpoint involved so I'm guessing that it may have something to do with the routing capability of the checkpoint? I know that this is a cisco discussion group but I think this is still fairly relevant. Any advice much appreciated - Tim ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept for the presence of computer viruses. For more information contact [EMAIL PROTECTED] phone + 353 1 4093000 fax + 353 1 4093001 ********************************************************************** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29299&t=29283 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
