If you are using NT an your problem is incoming web/mail/etc. More than
likely your edge internet router is trying to dump traffic to a device which
is physically not there.
You can either put a static route on the router for each host (respectively
sending traffic to the firewall) or you can put force the firewall to
respond to the router requests from a layer-2 standpoint. (ie-local.arp)
You have to stop and start the service after every change to the local.arp
Make sure local.arp is under the $fwdir/state directory and DON'T create it
or link it to wordpad/notepad. For some reason the little file gets pretty
antsy about stuff like that. DO a dos-based edit.
Your file should look something like this:
IPaddress of for firewall to respond (TAB) MAC_Address_of_NIC_Facing_router
200.200.200.200 1c-3c-2a-3c-4b-1e
Make sure NAT is in place, along with the rule to allow the traffic, and
layer-3 routing.
Thomas Poole
-----Original Message-----
From: Varnam, Gary [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, June 28, 2000 11:38 AM
To: [EMAIL PROTECTED]
Subject: [FW1] NATing
Hi,
Ignore my previous message I just used it for the email address.
Our class C address is subnet as follows, subnet 0 is not used, subnet 1 is
the DMZ, subnet 2 is used for NATing internal users on a 10.x.x.x network to
legal addresses, and subnet 3 is dirty side of the firewall.
0 x.x.x.1 - x.x.x.62 Not Used
1 x.x.x.65 - x.x.x.126 DMZ
2 x.x.x.129 - x.x.x.190 NATed address range used for
internal PCs
3 x.x.x.193 - x.x.x.254 Dirty side of firewall
Which subnet is used for NATing external addresses to internal hosts? I have
tried using subnet 2 range; the firewall logs :-
external ip address legal external address of host telnet
accept on rule 800
external ip address illegal internal address of host
telnet accept on rule 800
legal external address
of host external ip address
telnet drop on rule 0
First I thought I was not getting a connection because of spoofing I turned
spoofing off (or I thought I did) but it made not a jot of different. I have
no problem on the internal pcs going out to the internet. Just coming the
other way from the internet to internal net.
Anybody any pointers? Had a look at phoneboy tried messing with local.arp
Cheers Gary
****************************************************************************
***************************
Any opinions expressed in the email are those of the individual and not
necessarily the
City Of Salford. This email and any files transmitted with it are
confidential and
solely for the use of the intended recipient.
It may contain material protected by solicitor-client privilege. If you are
not the
intended recipient or the person responsible for delivering to the intended
recipient,
be advised that you have received this email in error and that any use is
strictly
prohibited. If you have received this email in error please notify the IT
manager by
telephone on +44 (0) 1617933906.
****************************************************************************
****************************
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
