I'll try to make things clearer then..
On Thu, 2 Dec 2004 01:44:45 +1100, heinz zerbes <[EMAIL PROTECTED]> wrote: > On Wed, 2004-12-01 at 22:49, Joao Santos wrote: > > > > Hi. Had to do it. the firewall is not the default gateway for the LAN > > and I don't have control over the default gateway (another router). So > > to make things easier I decided it was best to have the firewall > > answer the IP address and use NAT. > > > > Here is the deal: > > > > my LAN is 192.168.2.0 , dmz is 10.1.2.0 > > firewall LAN ip is 192.168.2.190 at interface eth-s1p2c0 and DMZ is > > 10.1.2.10 at interface eth3c0 > > moved the router in question from the LAN address 192.168.2.95 to DMZ > > address 10.1.2.7 > > > > It was working ok for my lan, but the default gateway 192.168.2.1 > > wouldn't do ARP to get the new mac address, then I decided to > > rollback. > > It�s still a bit confusing what you actually did and how you "rolled it > back" so I can only guess... > The plan was to move the 192.168.2.95 router to a DMZ port on the firewall, thus giving it the 10.1.2.7 IP address. The rollback was to move it back to the 192.168 network and remove the NAT and proxy arp rules on the firewall. > 192.168.2.1 is the default gw for the LAN? Your fw�s IF is the .190 in > that subnet? Is there a third or a fourth network connected? Did you > triple check the netmasks? What routers are you using, Cisco, D-Link, > Extreme? Try to get the router admin to check its arp table right after > your test. Correct. Correct again. There are more networks but they are not involved in this. Netmasks are correct. Class C. All cisco routers. The 192.168.2.95 is a 1720 and the 192.168.2.1 (the one I don't have control) is a 7206. I'll try this again tomorrow and this time will have the router admin helping us. > > What exactly was working ok for your LAN and what wasn�t working? > access to the IP addresses behind the moved router was OK if done from my LAN, meaning proxy arp and NAT were working ok. I had to roll back because the default gateway, the one that leads to other networks, would not get the new address. > You moved the router with the IP 192.168.2.95 to the DMZ, which is the > 10.2.1 network and then wanted the FW to answer for the original address > 192.168.2.95 on eth-s1p2c0 and NAT that one into your DMZ on eth3c0? Yes. That's exactly what I did. > > What was your NAT rule here? Orig-Src, Orig-Dst, translated-src, > translated-dst ? Basically, you can�t move a router to a different IF, > and expect the FW to answer requests for this IP and at the same time > NAT just those packets to the router... You would either have to change > the IP address of the router or the gw address that the FW should > DST-NAT towards the router. I did an automatic static NAT. > > 192.168.2.1 will arp for the MAC address once its internal MAC cache has > expired, which is usually around one minute. I waited for 10 minutes or so. > > However, the FW would have to respond to it with a static proxy ARP > entry. It�s surely not a supported setup and might cause other sorts of > problems down the track. You would also have to set a static host route > on the fw for the router that you moved, pointing to your DMZ-IF. > I did both. it was working because I had NORMAL access from my LAN (192.168.2.0) other networks, accessing thru 192.168.2.1 would not work. > > > > Problem is.. when I do netstat -r the firewall shows the router IP as > > 192.168.2.95 with the correct MAC address but at eth3c0 interface, > > like it was in the DMZ. > > netstat -r doesn�t give you a MAC address... It does give me the MAC address.. here it is brmtlb01[admin]# netstat -r | grep 192.168.2.95 10.39.186.22 192.168.2.95 CU 0 0 eth3c0 10.39.186.23 192.168.2.95 CU 0 0 eth3c0 10.39.186.24 192.168.2.95 CU 0 0 eth3c0 10.39.186.25 192.168.2.95 CU 0 0 eth3c0 10.39.186.224/31 192.168.2.95 CU 0 0 eth3c0 10.39.190.136/29 192.168.2.95 CU 0 0 eth3c0 10.39.190.144/28 192.168.2.95 CU 0 0 eth3c0 192.168.2.95 0:9:43:90:eb:cb CGU 0 0 eth3c0 the 10.39 networks are the ones I access thru this router > > The same arp cache expiration applies for the fw. You can delete an arp > entry manually with > > arp -d > > if needed. As it applies to my workstation. > > > > > This means that my lan and the default gateway (which leads to a WAN) > > can access this router no problem, but whatever is "routed" thru my > > firewall won't work. Even the firewall itself can't ping the > > 192.168.2.95 IP. > > Isn�t this address 192.168.2.95 the one you wanted to NAT (as Orig-DST)? > Then the firewall is not broadcasting for its MAC but expects other > machines to try and access it. > > > > > Any suggestions? Should I do a route flush or restart the firewall? > > A route flush will remove all entries from your routing table and sets > up just the routes for the directly connected networks. This rarely > helps. > > A reboot definitely helps you to have a somewhat "clean" starting point > again, but don�t expect your entangled setup to all of sudden "work". > > Good luck, > heinz > Heinz, my problem is that AFTER I moved the router back to the LAN the firewall is expecting it on the DMZ interface. This will NEVER work because it is mapping the router 192.168.2.95 to the DMZ interface as shown on the netstat -r above. I'd like to have the firewall mapping the 192.168.2.95 IP to the correct interface. My setup did work for the most part (as I said on the first e-mail the only problem was the default gateway for the workstations not getting the new mac address). It's not exactly entangled. Thanks, Jo�o. > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
