Hi,
use arp -a command to make sure loacl.arp is working
use arp -s to manual add static instead of local.arp to test
stop/start your fw after any changeed
If you use notepad to create local.arp it will cause problems.using dos
edit or creat it from Unix platform and then copy to your FW
note that for NT the form of MAC address is XX:XX:XX:XX
regards
Hoang Ha
-----Original Message-----
From: Michael Efrusy <[EMAIL PROTECTED]>
To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
Date: Wed, 7 Feb 2001 10:40:39 -0500
Subject: static nat
>Hi all,
>I am having a strange problem when attempting to run static NAT. We
>have a
>Checkpoint FW1 ver. 4.1 running on an NT server (SP 6). This is
>connected
>on the inside to a Cisco 2900 switch and on the outside to a router
>owned by
>the ISP (via a hub). On the inside network we are hiding NAT
>addresses of
>10.0.0.0/24 with the firewall address of xxx.xxx.xxx.3. This works
>fine.
>However we also have several servers which I would like to put inside
>the
>network temporarily until we can get DMZs set up for them. These
>servers
>need to have static addresses as they need to be reached from the
>outside.
>I have set up static routes to them on the firewall box (using the
>route add
>command) and these show up fine when I do a route print command. I
>have
>also added a local.arp file to the /winnt/fw1/4.1/state folder using
>the
>syntax (translated_address
>MAC_ADDRESS_OF_EXTERNAL_FIREWALL_INTERFACE. I
>then started and restopped the service, and installed rules allowing
>communication between the relevant IP addresses.
>The problem is that I am not able to connect, either from the internal
>computer to the outside, or from the outside to the internal computer.
> I
>set up a sniffer between the ISP router and the firewall, and did a
>ping
>from outside the network to the internal computer, and the ARP packet
>was
>translated fine, and an ICMP packet was sent out, but this packet was
>not
>received by the internal computer (I had a sniffer set up there too).
>When
>pinging from the outside, the packet was not sent by the external
>interface
>of the firewall. Is there some sort of rule that needs to be added
>that I
>am missing? I am at a loss. Thanks in advance.
>
>Michael Efrusy
>[EMAIL PROTECTED]
>646-674-2045
>
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
