Great Circle Associates Firewalls
(September 1996) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: FW-1 NAT problem -Reply -Reply
From: Richard Gilman <rgilman @ vortexdata . com>
Date: Mon, 30 Sep 1996 09:12:01 -0700
To: pokey @ maddie . atlantic . com
Cc: firewalls @ GreatCircle . COM, brians @ nj2 . sylvest . com, brians @ sylvest . com 
Thanks for the pointers! I finally got back to the FW-1 project and had a
chance to check into it a little further. I had tryed the routes and arp
entries per docs. and it didn't work. I downloaded version 2.1b (was
using v2.1) and started fresh. Now it seems to work per the docs.
Basically 1 added the host route for the HIDE address and the SRC/DST
address to the Internet router. Then just to start, I thought I'd add the arp
entry for the SRC/DST address to the Firewalled NT box and it seems to
work (holding breath). FYI ... I only needed  to add an arp entry for the
SRC/DST address and not the HIDE address. I guess I'll have to keep
playing with it to see if the arp keeps working. This is in a testing
environment so there is nothing at risk behind the FW yet. The next thing I
get to do is figure how to secure NT :-{0  ....  but that's a different
subject.

Later
Rich

>>> Rick Romkey <pokey @
 maddie .
 atlantic .
 com> 09/20/96 01:44pm >>>


It sure is an ARP problem.  Whenever you use SRC/DEST, you
need to add a route entry and an ARP entry.  If you are using
FW-1 for NT, this means this ARP entry needs to be done on
some external box with a more capable ARP since NT's doesn't
seem to publish arp entries to the network.

-Rick

> 
> Sounds like your having the same problem that I'm having.
> 
> Try translating to the actual ip address of le0. i.e
> 
> 10.0.1.64, 10.0.1.64, FWXT_SRC_STATIC, 205.161.216.80
> 205.161.216.80, 205.161.216.80, FWXT_DST_STATIC, 10.0.1.64
> 10.0.0.25, 10.0.0.25, FWXT_SRC_STATIC, 205.161.216.80
> 205.161.216.80, 205.161.216.80, FWXT_DST_STATIC, 10.0.0.25
> 
> I believe that it's an arp problem...but haven't had time to check any
> further. If you get it solved, please let me know.
> 
> Thanks
> Rich
> 
> 
>
----------------------------------------------------------------------------
 Rick E Romkey     |          A T L A N T I C           |     Internet
pokey @
 atlantic .
 com |  Computing Technology Corporation  |   Specialists
 (860) 667-9596    |     http://www.atlantic.com/       |    
-----------------------------------------------------------------------------
Indexed By Date Previous: Private Internets
From: "Bettich,K,NAT22,BETTICK M" <BETTICK @ boat . bt . com>
Next: Remote access of POP3 server
From: Jim Lester <jim . lester @ ljo . dec . com>
Indexed By Thread Previous: Re: FW-1 NAT problem -Reply
From: Rick Romkey <pokey @ maddie . atlantic . com>
Next: Cisco Access Lists and NetFlow
From: gary flynn <gary @ habanero . jmu . edu>
Google
 
Search Internet Search www.greatcircle.com