OK so... tried the "perform translation on client side", no go... tried the %FW1%/conf/local.arp (in my case %FW1%/NG/conf/local.arp)... no go tried the fwparp <new public IP> <ext int of firewall IP>...and got:
Failed to add proxy arp entry for (ext internet ip) on if (fw ext ip) error 1450 - insufficient system resources exists to complete the requested service. With a dual-processor machine with 2 GIG of RAM running only Checkpoint FW1-NG1, this doesn't sound right. Also, tried doing a cpstop first... same reply. Also checked the "Routing & Remote Access", nothing configured and.... Also checked the registry, "IPEnableRouter" is at 1. What's next...come back to FP1? Any ideas welcome..... Thanks, Andre Faille -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST@;beethoven.us.checkpoint.com]On Behalf Of Ivan Vassileff Sent: November 13, 2002 3:26 PM To: [EMAIL PROTECTED] Subject: [FW-1] R�f. : [FW-1] FTP nat'ed on FP3 Hello The way fw1 handles static destination nating has been modified significantly before and after fp3 Action 1 : identify the kind of nating you use and the associated operations you may need to perform : manual NAT (rules written manually in the nat window) or automatic NATed (workstation nated) ? If automatic => go and check in Policy/global properties/Nat to see if a tickmarck is placed on your "perform translation on client side" for automatic nat. By itself in FP3, it should take care of ARP proxying, Routing and antispoofing as it did in FP2. The added value of FP3/FP2 is that for ARP proxying on W2K you should not need the program fwparp.exe anymore . But this still needs to be verified ;-) If manual => go and check in Policy/global properties/Nat to see if a tickmarck is placed on your "perform translation on client side" for manual nat. By itself in FP3, it should take care of ARP proxying, Routing and antispoofing The added value of FP3/FP2 is that it previously did NOT exist in FP2. It should work fine with the possible exception on the arp proxying on w2k issue mentionned above. Action 2 : if it still does not work then we come back to our arp proxying on w2k issue. In FP3 you are supposed to create a new file called %FW1%/conf/local.arp with the following syntax <new public IP> <tab> <external interface of firewall MAC address> Once done you cpstop and cpstart your firewall. It might work. If it still does not, to cure this in FP2, you had the program fwparp.exe, that you can find on checkpoint site, as previously mentionned in that list. This program has an interesting syntax : fwparp <new public IP> <external interface of firewall IP - AND NOT MAC>, It checks then the MAC associated. You might give it a try as a backup solution. Anyone comments, criticisms, better tricks ? Ivan Andre Faille <[EMAIL PROTECTED]> Envoy� par : Mailing list for discussion of Firewall-1 <[EMAIL PROTECTED]> 13/11/2002 20:45 Veuillez r�pondre � Mailing list for discussion of Firewall-1 Pour : [EMAIL PROTECTED] cc : Objet : [FW-1] FTP nat'ed on FP3 Hi, can anyone help? I upgraded and my FTP server in not available anymore from the internet... FW1-NG1 ugraded from FP1 to FP3 on Windows 2000 DMZ address 10.10.10.2 255.255.255.248 FTP server in DMZ 10.10.10.1 255.255.255.248 nat'ed to outside (internet) address, static mode Thought it might be either the TOPOLOGY missing in the FW for the FTP configuration or the FTP protocol (I added ftp-bidir & ftp_mapped), still no reply from my FTP server from outside??? Any ideas?? Thanks, Andre Faille ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
