Well in the FW's doc. it says to enable IP routing (for NAT to work) on the
NT TCP/IP configuration believe it or not. one of my first step to
"hardening" an NT machine is to disable IP routing (fine it is so by default
anyway). So for the longest frickin while I was trying to make that stupid
thing working and two days ago I got a new version of the s/w and a new
version of the manuals and this time it tells me that (enable IP routing).
So that's why I am asking if it is the same case on let's say FW-1 or
Gauntlet etc...?
Also if you type arp, it tells you that with the -s switch, the entry is
permanent (ms employs permanent not persistent)
Thanks
Jean
> -----Original Message-----
> From: Enno Rey [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, October 30, 1999 5:09 PM
> To: Jean Morissette
> Cc: [EMAIL PROTECTED]
> Subject: Re: arp problems
>
>
> Jean Morissette wrote:
>
> > I have a NT based fw and I added a second IP address to the network
> > interface card (public interface of the FW), this IP address corresponds
> to
> > a NAT address (setup on the fw config.).
> >
> > My problem is when I do arp -a I do not see the IP address matching the
> MAC
> > ID of the NIC. I add it statically (I thought that would be permanent)
> and
> > it works fine. When I reboot the ARP entry is gone? Normal on NT?
>
> I think so. For NT's TCP/IP-stack details generally see
> www.microsoft.com/ntserver/commserv/techdetails/techspecs/tcpip.asp
> though there's nothing indicated in it for your question.
>
> >
> > Is it normal that on NT based fw, I have to enable routing at
> the OS level
> > for NAT to work?
>
> Depends of your firewall. Normally one of the first steps performed on a
> kind-of-secured computer: disable IP-forwarding.
> No firewall should rely on OS's forwarding capabilities, but
> implement some
> packet-forwarding mechanism itself. In case of NT you should also consider
> KB articles Q217336 and Q238453.
>
> Regards,
>
> Enno
>
> [EMAIL PROTECTED]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
