I need help on this issue from SecurePlatform Experts:
I have SPLAT enforcement module with
two interfaces, Internal and External.
This SPLAT box is being managed by a
Provider-1 SPLAT (manager+container).
Everything is running NGx R61 with
HFA_01. Everything is running
on EVAL license.
Internal interface has an IP of
10.100.109.2/24 with the ClusterXL IP
to be 10.100.109.1. The External IP
address is 129.174.1.23/24 with the
ClusterXL IP is 129.174.1.22.
Anti-spoofing is defined properly.
Under the global properties, I have
automatic ARP, nat on the destination,
etc...By the way, even though I only
have a single firewall, I setup the firewall
with ClusterXL in Active/Active in Unicast
with the intention that I will add
another firewall into clusterXL next week.
I have a very simple rule:
Any Any Accept log
I have a linux host behind the Internal
interface with IP 10.100.109.12 and
it is NATted to 129.174.1.12. Host
10.100.109.12 has its default gateway
as 10.100.109.1
Once I push the policy, hosts residing
on the External CAN ping the host 129.174.1.12.
So far so good.
However, if I do "cpstop;cpstart" on the
SPLAT enforcement module, hosts residing on
the External network CAN NOT ping host
129.174.1.12. Several attempts to push
the policy did not sovle it. When
I do "fw ctl arp" on the SPLAT box, I see
this:
[EM-SPLAT-1-P]# fw ctl arp
(129.174.1.12) at 00-a0-c9-e1-05-b8 interface 129.174.1.23
(129.174.1.11) at 00-a0-c9-e1-05-b8 interface 129.174.1.23
[EM-SPLAT-1-P]#
It means that my static NAT is correct but
hosts on the External network CAN NOT ping
the host 129.174.1.12. The only way to fix
this is to REBOOT the SPLAT box.
Is this normal behavior for SPLAT enforcement module?
I've never this with Nokia IP appliances.
Can someone clarify this?
I've another identical setup with NG-AI R55 with HFA_20
and I have NO issues with this whatsoever. Static NAT
still works fine after "cpstop;cpstart" or "cprestart" on the
Enforcement Modules
---------------------------------
Be a better Heartthrob. Get better relationship answers from someone who knows.
Yahoo! Answers - Check it out.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
