Hi, look for static ARP entries. You have to change them eventually to a new MAC address of the new firewall machine... Christian _________ Christian Betz System Engineer eSecurity Solutions Prodacta Systemhaus GmbH Pforzheimer Str. 132 Fon: +49 (0) 7243 382 308 D-76275 Ettlingen Fax: +49 (0) 7243 382 107 Germany Mob: +49 (0) 172 7278924 http://www.prodacta.de > -----Ursprungliche Nachricht----- > Von: Robert MacDonald [mailto:[EMAIL PROTECTED]] > Gesendet: Montag, 19. Februar 2001 21:50 > An: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Betreff: RE: [FW1] Nated machines can't access Internet > > > > Steven, > > Wouldn't running 'clear arp-cache' on the router be much > faster? > > Robert > > - - > Robert P. MacDonald > Global Infrastructure Group, Haworth, Inc. > Voice: +1.616.393.1247 > email: [EMAIL PROTECTED] > > >>> Steven Zimmerman <[EMAIL PROTECTED]> 02/19/01 10:09AM >>> > > > >First thing I would do is reboot you ISP router after putting the new > >firewall in place. The ISP router will have the MAC address > of you old > >server cached (default is 3 hours on Cisco) and it will try > to send all > >packets to that old MAC. > > > > -----Original Message----- > >From: CryptoTech [mailto:[EMAIL PROTECTED]] > > > >Annette, > >Since this is an upgrade on a separate server, a few > questions come to mind. > >Have you removed the old config so that the new setup will > be the proper > >defaultroute for internal hosts? > >Validation of proper published mac addresses is a plus > >Check the network properties TCPIP ->routing table to enable ip > >forwarding/routing. > > > >HTH, > >CryptoTech > > > >Annette Tenney wrote: > > > >> Am running FW-1 ver. 4.0. Upgrade planned on different server. Have > >> installed NT on new machine and imported the rulebase and > configuration > >> files from the old machine which is currently in use. Have > modified the > >> route table on the new machine to match the old machine. > Have created the > >> local.arp file. Checked in the configuration GUI that the external > >interface > >> was pointing to the correct card. On the firewall network > object did a get > >> for the interfaces which succeeded. Installed the policies. > >> > >> Have new machine on test network with DNS. Have not tried > the upgrade yet. > >> Firewall can get name resolution, can ping machines on > internal network > >and > >> DMZ by both true IP address and nated address. Internal > machines with > >nated > >> address can not get name resolution (DNS acting as machine outside > >> firewall), machines internal with hidden address can get > resolution. > >Machine > >> on DMZ, with nated address can not get resolution. > External machine can > >not > >> get to web server on DMZ. Have disabled all rules in rule > base and added > >> rule any any any allow. Psuedo rules set to allow > anything. Turned off IP > >> address spoofing. > >> > >> What have I missed? > >> > >> Thanks for your help. > > > > > ============================================================== > ================== > To unsubscribe from this mailing list, please see the > instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================== > ================== > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
