----- Original Message -----
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Friday, June 16, 2000 4:34 PM
Subject: RE: [FW1] Routing before FW-1 Installation
>
> Lets use the following assumption
>
> {Internet} <200.200.200.1>..........<200.200.200.254>...........10.1.1.x
> :
> :
> 192.168.1.x
>
> assume the following:
> 200.200.200.x is your class C address space (Internet space)
> 192.168.1.x is a DMZ
> 200.200.200.1 is the gateway to the internet (ie- live router ethernet
port)
> 200.200.200.254 is the external interface for your firewall
>
> Lets suppose internal hosts need to get out. (10.1.1.x hosts)
>
> They use the firewall as a gateway, the firewall inspects, re-arranges,
and
> re-assembles and uses it's own interface as the new "source" address (and
> assigns a port mapping to the internal host)
> The packet goes through the router, and follows the path to the host
> (somewhere on the internet)
> When the packet finally gets back to the internet router, the router needs
> to know where to send the packet to (ie a layer 2 address)
>
> The router either looks in it's arp table, or does a rarp on
200.200.200.254
> (the new destination address) and the firewall responds and says (give it
to
> me)
>
> Lets suppose you are doing NAT for host 200.200.200.2, which NATs to
> 192.168.1.2
>
> If someone initiates a connection for the host at 200.200.200.2, how does
> the router know where to send it? When the router does a rarp on
> 200.200.200.2, nothing will respond. The firewall has to be "told" to
> respond. Simply setting up a host and NAT rule does not cut it!
>
> There are a few ways to handle it. Either you can put a IP route statement
> on the router, sending all traffic destined for 200.200.200.2 to
> 200.200.200.254, and the firewall will know what to do with the packet.
>
> -OR-
>
> you can also have the firewall PROXY ARP, which basically tricks the
router
> (or upstream gateway) into thinking that the 200.200.200.2 device is
> actually there.
>
> Some routers have handled this by adding a blanket class C network static
> route directly to the firewall.
>
> Unix versions perform this function better than NT. On Unix, it's a simple
> ARP pub command, on NT you have to add a file to the state directory that
> basically has the address you wan to proxy for, and the MAC address of the
> EXTERNAL nic, facing the router.
>
> Sorry if I bored those that know this, but this is where many NT users get
> lost....
>
> Thomas
Thanks Thomas,
I'm trying your solutions..... i'll let you know if it works ASAP.
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
