All,
Windows NT has several known issues with its implementation of ARP. The most
important of problem is the inability to hold permanent manually entered
static ARP. No matter what switch is used NT will not maintain persistent,
or permanent ARP across a reboot. In fact NT has been known to loose all
manually entered static ARP entries when it refreshes its dynamic ARP cache.
I have seen this with hundreds of NT routing and firewall installations.
Even with SP5 and "Steelhead" enabled this problem exists. The PUB command
switch is in most ARP implementations, however not in Windows NT. This
switch causes ARP tables to be published to your upstream routers to insure
fast ARP resolution without need for an ARP broadcast.
Enabling IP forwarding is essential to insure proper operation of most
firewalls with Windows NT. These same firewalls will insert NDIS wan wrapper
patches to insure that they control IP forwarding at all times however, so
the security risk is greatly lessened, if not eliminated.
Ok, how do you get around the ARP problem? Well there are two ways. One if
for your firewall to provide a method of making permanent local ARP entries.
FireWall-1 does this with is local.arp file, however this is known to fail
without warning due to Microsoft's poor ARP implementation.
The better way to do it is to set static host routes for the translated
addresses involved on the upstream router, and on the firewall itself. This
will not only work without problems, but it is significantly faster, and
this is what I recommend to all of my clients.
Christopher Dinsmore
MCSE CCSA CCSE
===========================
Netegrity Technical Support
781-890-1700
[EMAIL PROTECTED]
===========================
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Bill Husler
Sent: Saturday, October 30, 1999 1:43 PM
To: Jean Morissette
Cc: firewalls@lists. gnac. net
Subject: Re: arp problems
Did you include the keyword "pub" on your arp command?
arp -s 206.99.98.50 08:00:20:76:ea:77 pub
I'm not an NT expert, but I think I have been told that this is what makes
it
persistent.
Bill
Jean Morissette wrote:
> I have a NT based fw and I added a second IP address to the network
> interface card (public interface of the FW), this IP address corresponds
to
> a NAT address (setup on the fw config.).
>
> My problem is when I do arp -a I do not see the IP address matching the
MAC
> ID of the NIC. I add it statically (I thought that would be permanent)
and
> it works fine. When I reboot the ARP entry is gone? Normal on NT?
>
> Is it normal that on NT based fw, I have to enable routing at the OS level
> for NAT to work?
>
> Thanks
> Jean Morissette
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
