[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] I hate local.arp
This is true and tripped me up also. Your FW's internal interface anti-spoofing policy must treat as valid addresses the external range that you're trying to NAT your internal stuff to. Ian -----Original Message----- From: Vijay [mailto:[email protected]] Sent: Friday, September 08, 2000 1:58 PM To: 'eric'; 'Dan Hitchcock'; 'FW-1 Mailing List (E-mail)' Subject: RE: [FW1] I hate local.arp Eric is right, If the settings of local.arp is done correctly and it is still not working, Try setting valid addresses on Firewall interfaces are set to "Any" (Anti spoofing). Regards Vijay Joseph -----Original Message----- From: eric [mailto:[email protected]] Sent: Friday, September 08, 2000 1:44 PM To: 'Dan Hitchcock'; 'FW-1 Mailing List (E-mail)' Subject: RE: [FW1] I hate local.arp -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I never had that much problem with it. Did you make sure your antispoofing settings are correct. That tripped me up once or twice. eric. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBOblPhBcEgL9uyUb5EQLVAQCg/pfmrRBRwwhmwvemYHEumm2Jf/8AoPY5 yLAzYQ6s418u7G4wVV+Hc4Fg =jyoS -----END PGP SIGNATURE----- -----Original Message----- From: [email protected] [mailto:[email protected]]On Behalf Of Dan Hitchcock Sent: Friday, September 08, 2000 4:14 PM To: FW-1 Mailing List (E-mail) Subject: [FW1] I hate local.arp Okay, so I see now why local.arp is such a bummer. #1 - It does not work correctly. #2 - see #1. Per postings over the last couple weeks (I've saved them all) and Checkpoint docs, I have tried to create the local.arp using nearly all permutations of space vs. tab between IP and MAC, dashes or colons in MAC, WordPad, Notepad, or DOS EDIT as editor, etc., all with no luck. My static route in NT is there. I've created a workstation object with the internal IP address, and (per Checkpoint documentation), added an automatic static translation rule to the object using the NAT tab (I also tried creating the NAT rule manually). I have stopped and started the firewall numerous times during these, both from the command line and the Services control panel. I've rebooted ad nauseum. The symptom is always the same - when trying to connect to the internal Web server via the NAT, the browser IMMEDIATELY returns a "page cannot be displayed" error. This happens from various locations with different browsers. I see the packet accepted in the log, along with the correct translation information. If I PING the ARPed address from another machine on the same segment as the outside of the firewall, a correct IP/MAC pair appears in the ARP table on the machine, put the PING times out. I can PING the "real" address of the outside of the firewall without issues. Why is this so hard? Someone please point out my stupidity and improve my quality of life by providing the magic answer. "Obvious" suggestions are more than welcome. Thank you very very very very much. Dan Hitchcock CCNA, MCSE Network Engineer Xylo, Inc. (formerly employeesavings.com)The work/life solution for corporate thought leaders ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|