RE: Firewall-1 and NAT. Please help!

[manuel . ricca @ pararede . pt]

No, the arp was working fine.
The problem was that I didn't have a hosts file defined for FW-1.
It sounds stupid enough, but it does say in the manual that you
have to do it.
Thanks,
manuel

----------
From: -cbrenton @
 sover .
 net[SMTP:cbrenton @
 sover .
 net]
Sent: -quarta-feira, 28 de janeiro de 1998 4:30
To: -manuel ricca
Cc: -firewalls @
 GreatCircle .
 COM
Subject: -Re: Firewall-1 and NAT. Please help!

manuel .
 ricca @
 pararede .
 pt wrote:

> Created the file local.arp at c:\winnt\fw\bin with the line
>   <fake IP> <External FW-1 interface MAC>.
>
> Now, I'm sitting at a machine on the external net (just a net, no router yet) and
> desperately running ping.
> I can reach the real IP (192.168...), which I suppose is OK.
> I cannot reach the machine with the fake IP.

>From experience, this does not work on NT. Sun gives you a -P (for publish) option
when creating ARP cache entries which allows the machine to reply to ARP requests for
other IP address. I think Checkpoint was *hoping* that the local.arp file would work
the same way which it does not.

Instead, create an ARP entry on any hosts on the external side of your firewall (your
test machine and the router when it arrives) that uses the legal translated address
and the firewall's MAC.

Cheers,
Chris
--
**************************************
cbrenton @
 sover .
 net

Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ISBN=0782120822/0740-8883012-887529

Support the anti-spam movement: http://www.cauce.org/