OK so it work now !!!
this is the problem I get, althought my NAT are all MANUAL, I do have to
leave the following setup active
Policy : Global Properties:
NAT Automatic address Translation
-> Automatic NAT
Translate destination on client side
AND
-> Manual NAT
Translate destination on client side
BOTH have to be active for the NAT to work properly.
Thanks all,
Andre Faille
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST@;beethoven.us.checkpoint.com]On Behalf Of Efes
Sent: November 13, 2002 8:19 PM
To: [EMAIL PROTECTED]
Subject: Re: [FW-1] FTP nat'ed on FP3 /take2
I assume that you are routing external ip address of
ftp server to 10.10.10.1 ... Also when in manual mode
you should add the ext. ip address in the spoofing
group of internal interface (if perform NAT on client
side is not chosen). Old nat issues..
fyi,
-yinal ozkan
--- Andre Faille <[EMAIL PROTECTED]> wrote:
> OK so...
>
> tried the "perform translation on client side", no
> go...
> tried the %FW1%/conf/local.arp (in my case
> %FW1%/NG/conf/local.arp)... no go
> tried the fwparp <new public IP> <ext int of
> firewall IP>...and got:
>
> Failed to add proxy arp entry for (ext internet ip)
> on if (fw ext ip)
> error 1450 - insufficient system resources exists to
> complete the requested
> service.
>
> With a dual-processor machine with 2 GIG of RAM
> running only Checkpoint
> FW1-NG1, this doesn't sound right.
>
> Also, tried doing a cpstop first... same reply.
> Also checked the "Routing & Remote Access", nothing
> configured and.... Also
> checked the registry, "IPEnableRouter" is at 1.
>
> What's next...come back to FP1?
> Any ideas welcome.....
>
> Thanks,
> Andre Faille
>
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
>
[mailto:FW-1-MAILINGLIST@;beethoven.us.checkpoint.com]On
> Behalf Of Ivan
> Vassileff
> Sent: November 13, 2002 3:26 PM
> To: [EMAIL PROTECTED]
> Subject: [FW-1] Rif. : [FW-1] FTP nat'ed on FP3
>
>
> Hello
>
> The way fw1 handles static destination nating has
> been modified
> significantly before and after fp3
>
> Action 1 : identify the kind of nating you use and
> the associated
> operations you may need to perform :
> manual NAT (rules written manually in the nat
> window) or automatic NATed
> (workstation nated) ?
>
> If automatic => go and check in Policy/global
> properties/Nat to see if a
> tickmarck is placed on your "perform translation on
> client side" for
> automatic nat.
> By itself in FP3, it should take care of ARP
> proxying, Routing and
> antispoofing as it did in FP2.
> The added value of FP3/FP2 is that for ARP proxying
> on W2K you should not
> need the program fwparp.exe anymore . But this still
> needs to be verified
> ;-)
>
> If manual => go and check in Policy/global
> properties/Nat to see if a
> tickmarck is placed on your "perform translation on
> client side" for
> manual nat. By itself in FP3, it should take care of
> ARP proxying, Routing
> and antispoofing
> The added value of FP3/FP2 is that it previously
> did NOT exist in FP2.
> It should work fine with the possible exception on
> the arp proxying on w2k
> issue mentionned above.
>
> Action 2 : if it still does not work then we come
> back to our arp proxying
> on w2k issue.
>
> In FP3 you are supposed to create a new file called
> %FW1%/conf/local.arp
> with the following syntax
> <new public IP> <tab> <external interface of
> firewall MAC address>
> Once done you cpstop and cpstart your firewall.
> It might work.
>
> If it still does not, to cure this in FP2, you had
> the program fwparp.exe,
> that you can find on checkpoint site, as previously
> mentionned in that
> list.
> This program has an interesting syntax : fwparp
> <new public IP> <external
> interface of firewall IP - AND NOT MAC>, It checks
> then the MAC
> associated.
> You might give it a try as a backup solution.
>
> Anyone comments, criticisms, better tricks ?
>
> Ivan
>
>
>
>
>
> Andre Faille <[EMAIL PROTECTED]>
> Envoyi par : Mailing list for discussion of
> Firewall-1
> <[EMAIL PROTECTED]>
> 13/11/2002 20:45
> Veuillez ripondre ` Mailing list for discussion of
> Firewall-1
>
>
> Pour :
> [EMAIL PROTECTED]
> cc :
> Objet : [FW-1] FTP nat'ed on FP3
>
> Hi,
>
> can anyone help? I upgraded and my FTP server in not
> available anymore
> from
> the internet...
>
> FW1-NG1 ugraded from FP1 to FP3
> on Windows 2000
> DMZ address 10.10.10.2 255.255.255.248
>
> FTP server in DMZ
> 10.10.10.1 255.255.255.248
> nat'ed to outside (internet) address, static mode
>
>
>
>
> Thought it might be either the TOPOLOGY missing in
> the FW for the FTP
> configuration or the
> FTP protocol (I added ftp-bidir & ftp_mapped), still
> no reply from my FTP
> server from outside???
>
> Any ideas??
>
> Thanks,
> Andre Faille
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
