Hi,
If you have no alternative but use manual nat, how can u achieve it in a HA enviorenment? In Solaris boxes, you can make manual "arp <virtual ip> < firewall-interface mac> pub", with the mac of the active node. But when there is a failover, the mac remains unchanged instead of beeing published the new one.
how can it be automated?
thanks.
Gary Scott wrote:
Automatic arp is only for automatic nat rules. This does not work for manual nat rules.
-----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Phil Wang Sent: Wednesday, October 06, 2004 7:42 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Proxy ARP not working with manual NAT with Secure Platform NG AI R55
I have done both from the every beginning of destination client side and automatic arp configuration, but not seem to be working.
Cheers,
Phil
-----Original Message----- From: William Iselin [mailto:[EMAIL PROTECTED] Sent: Wednesday, 6 October 2004 11:36 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Proxy ARP not working with manual NAT with Secure Platform NG AI R55
You don't need to add manual arp entries. Go into Global Properties -> NAT and make sure the defaults are selected, which is all of them (but the 'automatic arp configuration' is what's important here). It will create arps for both automatic nat and manual nat.
HTH, Bill
-----Original Message----- From: Phil Wang [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 06, 2004 4:40 AM To: [EMAIL PROTECTED] Subject: [FW-1] Proxy ARP not working with manual NAT with Secure Platform NG AI R55
Hi All,
I have installed a NG AI R55 on a SPLAT. I noticed that the f/w doesn't response to manual NAT ruled IP address. I have setting as follows:
f/w interaces: Ext: 202.x.x.1/27 Int: 192.168.1.1/24 DMZ: 10.10.1.1/24
Mail Server: 192.168.1.9 DMZ Server: 10.10.1.11
There requirements are 1. nat mail server to 202.x.x.9 on SMTP port 25 2.1 nat DMZ server to 202.x.x.11 on HTTPS port 443 2.2 nat DMZ server to 202.x.x.21 on HTTPS port 443 with port redirction to tcp port 442.
First I added three arp entries for these 3 IP addresses respectively. Then I created two automatic NAT rules for requirement 1 and 2.1 and one manual NAT rule for 2.2. Both automatic rules are working fine but seems the f/w is not responding the arp query to the manual NATed IP 202.x.x.21. I see all arp entries with arp command but only see two automatic NATed arp entries with fw ctl arp. Also, went through some doc found online, tried to add a specific route of 202.x.x.21 with gw to 10.10.1.12. Did not work either. Another thing I tried is to use mapped https and I found if I use the f/w address 202.x.x.1 instead of 202.x.x.21. It workes. With 202.x.x.21(and the arp entry added in), no luck either.
I have got SPLAT has some proxy arp issues needs to add arp entry and specific route. Now it seems proxy arp works only with automatic NAT rules but not manaul NAT rule. Anyone has seen this issue before?
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
