Re: [FW1] Linux, VPN and ARP

Wed, 09 May 2001 08:46:39 -0700 


Hi

IP NAT Pool:
---------------
Do you use addresses from the same net segment like the firewall has its
interfaces on?

I have never added any arp entries for my sr clients.....I am using a
private /24 net for the IP NAT thingy. Important is, that your inside
servers must know the way back to your virtual "IP NAT Pool"-net (the sr
entrypoint) and the "IP NAT Pool"-net shouldn't be in the encryption domain.

regards,
mike

----- Original Message -----
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, May 07, 2001 8:04 PM
Subject: [FW1] Linux, VPN and ARP

> The task is realy easy:
> Enable FW-1 to accept SecuRemote connections. The firewall (gateway)
itself runs
> on RedHat 7.0 and SecuRemote on W2k.
> I�m able to connect to the firewall over the internet but it is IMPOSSIBLE
to
> reach resources on the LAN when I use "IP NAT Pool"
>
> What my Reseller told me was that for IP NAT-Pool the IP addresses have to
be
> "put" on the internal interface by either "local.arp" for Windows (not in
my
> case) or "arp -s <ip> <mac> -i eth1 pub". But the arp stuff doesn�t work
out.
> Though my linux box accepts the command, replies to e.g. a PING from the
> SecuRemote Client reaches the destination but the answer doesn�t come back
(I
> traced it down so I could see that the arp request wasn�t answered by the
> firewall).
>
> Can anybody tell me why the linux box doesn�t reply on the arp request (FW
and
> Linux box are on the same segment)?
> Is this a linux thing?
>
> The only workaround I found was to "put" the ip addresses on the
interface.
> But what if I need a pool of e.g. 200 addresses - is the linux kernel
capable to
> handle that much on one NIC?
>
> Maybe I�m missing something... so I would be glad if anybody could give me
a
> hint.
>
> Regards,
> Marco




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to