I noticed that you have the parent interface IP'd, in addition to a sub-interface. Maybe the anti-spoofing on the parent interface is overriding the anti-spoof IPs that you assigned to eth3:0.
Assuming that you have the anti-spoof nets defined correctly, have you tried assigning each IP to a distinct sub-interface (no IP on the parent interface, and anti-spoofing adjusted accordingly)? Perhaps unrelated, but I recently had to stop using anti-spoof detection on interfaces that have overlapping anti-spoof nets (eg. 10.0.0.0/8 assigned to the internal leg, and 10.1.0.0/16 on another zone's interface). This seemed to work in the past, until I moved a particular net to another zone, and added it to that interface's anti-spoof list. The packets dropped like flies. FWIW. - Dave -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Peter Sawatzki Sent: Friday, August 19, 2005 4:35 AM To: [email protected] Subject: [FW-1] Anti-Spoofing and Secondary IP I have a DMZ with two IP addresses (not NATed) on eth3 and eth3:0. Since installing NGX I have to disable anti-spoofing because the NGX thinks the packets from eth3:0 are spoofed. Is this a known problem ? Peter ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
