-----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Chontzopoulos Dimitris Sent: Wednesday, March 30, 2005 6:12 AM To: [email protected] Subject: Re: [FW-1] Advanced (yeah, right) NAT question
!!!ISSUE RESOLVED!!! What I did was to un-check "Automatic ARP Configuration" and keep the other settings "NAT on Client Side" ckecked at both Automatic NAT and Manual NAT Configuration, and then, I moved the file I created earlier (local.arp) to the CONF directory instead of the STATE directory. After that, I re-installed the policy and re-booted both the Management Server AND the Enforcement Modules. I also created the appropriate Static Routes. Everything is working as expected now, that is, I've got Automatic NAT Rules (don't you just love them?), Manual NAT Rules as I see fit, AND, Manual Proxy ARP!!! I found out that you need to put local.arp in the CONF directory instead of the STATE directory in CP NG, from AERASEC.de... No matter how I serched in SecureKnowledge, I found NOTHING WHAT-SO-EVER!!! Big thanks to everyone. Cheers, Dimitris -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Chontzopoulos Dimitris Sent: Wednesday, March 30, 2005 12:15 PM To: [email protected] Subject: Re: [FW-1] Advanced (yeah, right) NAT question The rhing is that arp isn't working on Win2K... What I want to do is: 01. Configure automatic NAT rules and some manual NAT rules as I see fit (that can be done) 02. Configure MANUAL ARP by using local.arp as I used to do in CP2000 v4.1 I've created local.arp inside the STATE directory of the firewall, but IT IS NOT working and I'm going insane. I had NO problems at all when I was using CP2000 v4.1. I believe that the format of the file is correct (using Notepad, I created the file, then I edited it with WordPad and it's format is IP-Address <space> MAC_Address_of_Firewall_Interface). I also unchecked in Policy, Global Properties "Automatic ARP Configuration", I bounced the Management Server AND the Firewall Module (different Server), I re-installed the policy, BUT, local.arp DOESN'T seem to be working... Please, I'm going insane here. Has anyone seen this before? Can someone tell me what the complete and correct procedure is to configure automatic NAT and Manual NAT (as I see fit) AND Manual ARP configuration? Please, I need your help. Cheers, Dimitris -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Erik Ahlstrφm Sent: Wednesday, March 30, 2005 10:30 AM To: [email protected] Subject: Re: [FW-1] Advanced (yeah, right) NAT question I cant see that this should be any problem at all on Linux/Splat, and also dont think it should be any problem to do this on windows. But you have to configure this with manually nat rules as you say and also manual proxy arp. I'm not very windows friendly... but I guess that if you run "arp" without options you get some examples to configure a static arp entry. Regards, Erik On Wed, 2005-03-30 at 02:09 +0300, Chontzopoulos Dimitris wrote: > Hello gurus of the list, > > I have fresh-installed a brand new NG R55W with AI (distributed installation > -> 1 x Management Server & 2 Firewalls) and I'm facing some problems > -> with > NAT... NG R55W with AI is installed on a Win2K Server with SP4 and all > hotfixes. > > My firewall has 4 interfaces: > > 1 inside my LAN (192.168.241.x/24) -> NET_A > 1 inside a LAN where other firewalls exist (192.168.69.x) -> NET_B 1 > inside a dummy network (172.16.26.0/24) -> NET_C 1 inside another > dummy network (172.16.27.0/24) -> NET_D > > What I'm trying to do is the following: > > Configure a server with NAT from LAN_A to be advertised in all other > NETs -> > > SERVER01 is situated on NET_A (192.168.241.100) and I want him > advertised > as: > 192.168.69.100 on NET_B > 172.16.26.100 on NET_C > 172.16.27.100 on NET_D > > Can it be done? I have added some static routing entries in the > corresponding firewall that handles all of the above NETs, added > Manual Address Translation rules, but, what a surprise, there are no > Proxy Arp entries for the thing to work... > > Is there a way for it to work? My guess is *YES*, it can work, if you: > > 01. Define 1 Network Object in NET_A (done that) 192.168.241.100 02. > Define 1 Network Object in NET_B (done that) 192.168.69.100 03. Define > 1 Network Object in NET_C (done that) 172.16.26.100 04. Define 1 > Network Object in NET_D (done that) 172.16.27.100 05. Add the > appropriate static routes (done that) > a. route add -p 192.168.69.100 192.168.241.100 > b. route add -p 172.16.26.100 192.168.241.100 > c. route add -p 172.16.27.100 192.168.241.100 > 06. Configure *STATIC* NAT rules (done that) > 07. Configure Manual Proxy ARP rules (how do I do that?) > > In the past, I used that magic file called "local.arp" with tremendous > success. Is there a way to use it now (remember, it is a distributed > installation)? If so, where should I place the file? > > Thanx and I apologize if I'm asking stupid questions; I've been trying > to accomplish the above (07) for the last 6 hours or so, so ANY - ME - > HELP - LOG, will be greatly appreciated. > > Cheers, > > > Dimitris > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
