Hi, I'm able to ping NATed host from internet only configuring the routing table in router.Proxy ARP can not help me to connect my internal host. I tried very much to use proxy ARP but can't succeed. I think proxy ARP is only method to connect from DMZ to internal host.Am I right? Best Regards, Tika --- "Little, Craig" <[EMAIL PROTECTED]> wrote: > > It sounds like a routing problem at this stage. Is > there a route from your > firewall to where you want to go? Every device that > routes packets has to > have appropriate routing tables - even if it's a PC > with two networking > cards. If not, the packet will get sent to the wrong > interface and > eventually disappear into the ether. That's all I > can think of now. I'll > have another look at it tomorrow after I've had some > well earned sleep - or > maybe someone else can step in. > > Craig/ > > -----Original Message----- > From: Tika Mahata [mailto:[EMAIL PROTECTED]] > Sent: Friday, June 23, 2000 1:12 AM > To: Little, Craig; > [EMAIL PROTECTED] > Subject: RE: [FW1] NAT and Internet Connection > > > Hi > > Now,I can ping from my FW gateway to static valid ip > but I can't ping from router console to it.And also > I > can't ping from my app server to outside but in log > the requiest acception is shown. But I can ping from > any hidden host to outside world. > > > I'm very frustrating. > > Best regards, > > Tika > > > > > --- "Little, Craig" <[EMAIL PROTECTED]> wrote: > > It works for me. I'm proxy arping for 12 different > > IP addresses across 7 > > interfaces on our main gateway. After you add the > > file we have to fwstop / > > fwstart. > > > > Craig/ > > > > -----Original Message----- > > From: Tika Mahata [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, June 21, 2000 6:15 PM > > To: Little, Craig; 'Tika Mahata'; > > [EMAIL PROTECTED] > > Subject: RE: [FW1] NAT and Internet Connection > > > > > > > > I'd already tried for this format for ARP proxy. > > > > Tika > > --- "Little, Craig" <[EMAIL PROTECTED]> > wrote: > > > > > > local.arp should be in the format > > > <IP Address> <Mac Address> > > > > > > Craig/ > > > > > > -----Original Message----- > > > From: Tika Mahata [mailto:[EMAIL PROTECTED]] > > > Sent: Tuesday, June 20, 2000 10:19 PM > > > To: Kumar, Preet (Exchange); > > > [EMAIL PROTECTED] > > > Subject: RE: [FW1] NAT and Internet Connection > > > > > > > > > > > > Hi Kumar, > > > > > > ICMP is allowed. > > > Firewall can ping application server with > invalid > > IP > > > a.b.c.d. > > > External gateway MAC is used for w.x.y.z. in > > > c:\winnt\fw\state\local.arp > > > xx-xx-xx-xx-xx-xx w.x.y.z > > > > > > and > > > route w.x.y.z is statically routed to a.b.c.d on > > > firewall. > > > > > > But I even can not ping from firewall to valid > IP > > > w.x.y.z. > > > > > > On ping command: > > > > > > reply from p.q.r.s: TTL expired in transit. > > > > > > > > > I'm just installing firewall and having to test > > > connection. > > > > > > Best Regards, > > > > > > Tika > > > > > > > > > --- "Kumar, Preet (Exchange)" <[EMAIL PROTECTED]> > > > wrote: > > > > > > > > Do you have ICMP allowed through your firewall > ? > > > > If you have then can you ping a.b.c.d from the > > > > firewall ? > > > > If not then check the routing from the > firewall > > > to > > > > a.b.c.d > > > > If yes then did you publish the MAC for > w.x.y.z > > on > > > > the external network ? > > > > If not do it > > > > If yes then do you have a host specific route > on > > > the > > > > firewall that says > > > > destination w.x.y.z gateway (either a.b.c.d or > > the > > > > router that is on the > > > > internal side). > > > > > > > > If all the above has been doen and you still > > > cannot > > > > ping check your NAT > > > > are you NATing when any packets come to the > > > firewall > > > > at w.x.y.z or just > > > > http, https packets. > > > > In case you are NATing for only http/https > > packets > > > > then you will not be able > > > > to ping. > > > > If you have the services in Original packets > set > > > to > > > > "ANY" and services in > > > > translated packets > > > > set to "Original" then you will be able to > ping. > > > > > > > > Why would you want to ping the webserver > anyway > > ? > > > > Allow ICMP just for > > > > testing and when the > > > > webserver is accessable from outside through > the > > > > NATed address then disable > > > > ICMP and also > > > > narrow down the NAT to only those services > that > > > you > > > > require on the > > > > webserver. > > > > > > > > Preet > > > > > > > > > -----Original Message----- > > > > > From: Tika Mahata [SMTP:[EMAIL PROTECTED]] > > > > > Sent: Monday, June 19, 2000 7:41 AM > > > > > To: [EMAIL PROTECTED] > > > > > Cc: [EMAIL PROTECTED] > > > > > Subject: [FW1] NAT and Internet Connection > > > > > > > > > > > > > > > Hi, > > > > > > > > > > My application server(i.p=a.b.c.d) is hidden > > > > with > > > > > static NAT ( valid i.p=w.x.y.z).Then I > cannot > > > ping > > > > the > > > > > w.x.y.z, so how can I access my application > > > server > > > > > from internet? > > > > > Pls give me some idea about it. > > > > > > > > > > Thanks > > > > > Tika > > > > > > > > > > > === message truncated === __________________________________________________ Do You Yahoo!? Get Yahoo! Mail - Free email you can access from anywhere! http://mail.yahoo.com/ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
