Probably what you were seeing with the failure of incoming NAT connections is your ARP cache in your gateway router. NG by design does automatic ARPs for NAT'ed connections, however, upon restart of your FW, your gateway router will not always automatically refresh your ARP cache. You should be able to view your ARPs in your gateway router. In the case of a Cisco, you can do 'sh arp'. You should be all your NAT'ed IPs with the same MAC address as the external interface of your firewall. You can confirm what that is with the 'ifconfig -a' command in Solaris. You can probably get this to refresh with the 'clear arp' command (Cisco) or equivalent. Worst case, restart your router and it should relearn your ARPs. I have seen a couple of cases when my router did not relearn my ARPs, and I had to do a cpstop and cpstart to get it to refresh. I am not sure if that is a bug in NG FP3 or not. Getting your gateway router to relearn ARPs would most definately be a problem if you change out your firewall box, as MAC's are unique to interface adapters, and would be different for each hardware platform. If you are not sure about the command set for your router, the easiest fix is to restart your router.
hope this helps Hal Hal Dorsman Network Administrator Rocky Mountain Elk Foundation Missoula, Montana USA [EMAIL PROTECTED] (406)523-4576 > -----Original Message----- > From: Chris Cameron [mailto:[EMAIL PROTECTED] > Sent: Monday, January 05, 2004 8:25 AM > To: [EMAIL PROTECTED] > Subject: [FW-1] Problems when restarting FW-1 Server > > > We use Firewall-1 for NAT (incoming and outgoing), PAT, VPN > connections > and (obviously) as a plain firewall. Last week after I rebooted > (shutdown -i6 -g0 -y) the firewall came back up only > partially working. > > Outgoing NAT and VPN connections worked as did PAT and NAT when going > through the VPN. However I later realized that NAT from the outside > didn't work. Nothing unusual at the time was being shown > through the log > viewer. I was able to fix this after a recompile of the rules from the > Policy Editor. > > > When replacing an old firewall with this new one, I did a lot of > unplugging and plugging in of NIC cards while the servers were still > running, and had the same problems. Most things would work once I > plugged the NIC back in, but some things wouldn't be working, in all > sorts of combinations. All these problems were fixed with a ruleset > recompile. Restarting the firewall daemons or the server > itself at this > point didn't help. > > > I'm running Firewall-1 NG FP2 with Solaris 8 on a V100 > machine prior to > this we were using an Ultra 10 with NG FP2, both have this > same problem. > > > Anyone else run across this? I can reproduce (and fix) this problem (a > little too) easily, and I'm worried it's a sign of a bigger problem. > > > Thanks, > Chris > > -- > Chris Cameron > UpNIX Internet Administrator > ardvark.upnix.net > bitbucket.upnix.net > -- > http://www.upnix.com > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
