RE: [FW1] NAT Problem in CP-Firewall

Mon, 15 Jan 2001 08:15:39 -0800 



oops didnt know you where talking about windows. you have to create a file
in /$FWDIR/state

the local.arp file would look like this: 

204.32.38.2     00-C0-78-20-00-6D 
204.32.38.10    00-C0-78-20-00-6D 

Note: For changes to this file to take effect, you must install your
security policy. 

On an NT machine, the routes are slightly different: 
route add 204.32.38.2 192.168.0.2 -p 
route add 204.32.38.10 192.168.0.10 -p
The -p option insures the routes will be added to the registry and will be
active, even after rebooting. 


Michael

-----Original Message-----
From: Jey Baskar [mailto:[EMAIL PROTECTED]]
Sent: Monday, January 15, 2001 10:58 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: [FW1] NAT Problem in CP-Firewall


Michael,

    I think the "pub"  syntax is supported in unix environment. I did try
that on the NT server [Firewall is installed on the NT Server] and it wasn't
supporting that syntax. :-(

Thanks,
Jey!


>>> "Pires, Michael" <[EMAIL PROTECTED]> 01/15/01 10:56AM >>>
Don't forget to add the pub at the end of the arp
ex:

arp -s 205.148.243.3  <mac address of the external firewall> pub

verry important since anyone arping for that external address your firewall
has to respond to it.

_______________________________________
Michael Pires
Security Analyst 
Teleglobe Inc.
TEL:    (514) 868-8713
FAX:    (514) 868-8281
E-MAIL: [EMAIL PROTECTED] 



-----Original Message-----
From: Jey Baskar [mailto:[EMAIL PROTECTED]] 
Sent: Monday, January 15, 2001 10:28 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED] 
Subject: RE: [FW1] NAT Problem in CP-Firewall




  I did follow the suggestion of adding the arp entry and the route but I am
still struck up the same problem.

After adding the following entries
1. arp -s 205.148.243.3  <mac address of the external firewall>
2. route add 205.148.243.3  10.1.3.5 

it doesn't seems working. I also added the next hop inside the firewall too
!!

Thanks for your time and suggestion
Jey!


>>> Mustetab Ali Khan <[EMAIL PROTECTED]> 01/14/01 10:08AM >>>

 Dear BASKAR,

You also need to add an arp entry for the natted address ...

arp - 205.148.243.3 <mac address of the firewall external card>

in addition u need to add a route as follows 
route add 205.148.243.3 <10.x.x.x> ip of the firewall internal card

-Mustetab
Network Security Engineer
HCL Comnet Systems & Services

-----Original Message-----
From: ITN (Bipin Mehta)
To: 'Jey Baskar'; [EMAIL PROTECTED] 
Sent: 01/14/2001 6:25 PM
Subject: RE: [FW1] NAT Problem in CP-Firewall

You need to add a static route on your firewall for the translated
address (205.148.243.3)to the next hop inside the firewall or to the
internal ethernet port because before translation the firewall does
internal routing.




-----Original Message----- 
From: Jey Baskar [ mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
] 
Sent: Saturday, January 13, 2001 1:02 AM 
To: [EMAIL PROTECTED] 
Subject: [FW1] NAT Problem in CP-Firewall 



Hello, 

We have installed Checkpoint Firewall-1 in our environment. I am facing
a problem of unable to PING to the NATted address.


10.1.3.15       205.148.243.2      205.148.243.1 
HOSTA  -------  FIREWALL  -------- ROUTER ---------- INTERNET 
  

I have a hostA 10.1.3.15 which is on the internal network. It can ping
to the Firewall [205.148.243.2] and to the router [205.148.243.1] 

without any problems. 

On the Firewall I have static Address Translation for the 10.1.3.15  and
set it as 205.148.243.3 

The problem is I can PING to the firewall [205.148.243.2] successfully
from the internal and external network but CANNOT ping to the static
address [205.148.243.3] either from the internal nor from the external
network. Even from the Firewall server, I CANNOT ping to the NATed
address [205.148.243.3]

I have set the NAT and rules properly. 

Any help to fix this problem will be greatly appreciated! 

Thanks 
Jey 



========================================================================
======== 
     To unsubscribe from this mailing list, please see the instructions
at 
               http://www.checkpoint.com/services/mailing.html 
<http://www.checkpoint.com/services/mailing.html>  
========================================================================
======== 



============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html 
============================================================================
====



============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html 
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to