Hi, Why should you declare an ARP entry for a network you don't have an interface connected with ??
The example was : Interface eth0: 200.50.1.2 Proxy ARP on this interface (eth0) but for IP: 200.0.0.1 If you want to NAT the 200.0.0.1, you can directly add the nat entry in the checkpoint rulebase. Any 200.0.0.1 any port nated to original nat_destination original port There won't be any arp request to 200.0.0.1. I'm using this config for some years without a problem. NF > -----Original Message----- > From: Mateo Cabrera - Security Advisor > [mailto:[EMAIL PROTECTED] > Sent: Tuesday, April 27, 2004 11:43 PM > To: [EMAIL PROTECTED] > Subject: Re: [FW-1] PROXY ARP, PROBLEM...!!! > > NO, you are not understanding to me... > I�ve clear the ARP concept, and how to configure it. > The problem is when i try to configure a ARP entry with a IP > which does not belong to IP range configured on this interface. > This does not work on NG version, However the same > configuration in 4.1 does work fine.... > > So long... > > > > Saludos, > > Mateo Cabrera - Soporte T�cnico > Security Advisor > Soluciones en seguridad inform�tica > Constituyente 1467 of. 802 > Tel/Fax: (598 2) 4004378 > 11200 Montevideo-Uruguay > > -----Mensaje original----- > De: Mailing list for discussion of Firewall-1 > [mailto:[EMAIL PROTECTED] nombre > de Shawn Behrens Enviado el: martes, 27 de abril de 2004 11:11 > Para: [EMAIL PROTECTED] > Asunto: Re: [FW-1] PROXY ARP, PROBLEM...!!! > > > > I want to create a PROXY ARP entry on a interface (e.g > eth0), but this > > IP belong to addresses NOT CONECTED DIRECTLY on this interface. > > Yeah, that's, hmm, an odd thing to want to do. > > > You understand to me? > > Sort of. I know what you wish to do, and I _think_ I know > why: You're slightly confused about ARP :). > > ARP is used to discover Layer-2 (MAC) addresses. Logically, > then, when you think about the way routing works, ARP is > necessary ONLY for addresses on the same subnet as the > client's address. Proxy ARP allows the firewall to respond to > an ARP request for an address it does not physically have, > usually used for NAT addresses that are in the same subnet as > the firewall's interface that the NATed traffic comes in on. > > If your NAT address is outside the firewall interface's > subnet, all that's needed is that the upstream router(s) know > to route this traffic to the firewall. Proxy ARPs are not necessary. > > Go and study Layer-2/Layer-3 addressing interaction some > more. It's an area oft overlooked, as it seems so basic, yet > a good understanding will do wonders for the clarity of your > network designs. > > > Regards > > Shawn Behrens > Senior Security Engineer > CCMSE CCSE CCNA CNE > > INTEGRALIS > Your Trusted Security Partner > > 111 Founders Plaza > 13th Floor > East Hartford, CT 06108 > USA > Tel: +1 860 291 0851 > Fax: +1 860 291 0847 > [EMAIL PROTECTED] > > www.integralis.com > > > > > -----Original Message----- > > From: Mateo Cabrera - Security Advisor > > [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, April 27, 2004 8:28 AM > > To: [EMAIL PROTECTED] > > Subject: [FW-1] PROXY ARP, PROBLEM...!!! > > > > Saludos, > > > > Mateo Cabrera - Soporte Tecnico > > Security Advisor > > Soluciones en seguridad informatica > > Constituyente 1467 of. 802 > > Tel/Fax: (598 2) 4004378 > > 11200 Montevideo-Uruguay > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, send an email to > > [EMAIL PROTECTED] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, please see the > instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > subscription options, > > email [EMAIL PROTECTED] > > ================================================= > > > > > Please note that: > > 1. This e-mail may constitute privileged information. If you > are not the intended recipient, you have received this > confidential email and any attachments transmitted with it in > error and you must not disclose, copy, circulate or in any > other way use or rely on this information. > 2. E-mails to and from the company are monitored for > operational reasons and in accordance with lawful business practices. > 3. The contents of this email are those of the individual and > do not necessarily represent the views of the company. > 4. The company does not conclude contracts by email and all > negotiations are subject to contract. > 5. The company accepts no responsibility once an e-mail and > any attachments is sent. > > http://www.integralis.com > > ================================================= > To set vacation, Out-Of-Office, or away messages, send an > email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your subscription > options, email [EMAIL PROTECTED] > ================================================= > > ================================================= > To set vacation, Out-Of-Office, or away messages, send an > email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your subscription > options, email [EMAIL PROTECTED] > ================================================= > > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
