Re: [FW1] Odd PING from firewall

Wed, 05 Jul 2000 14:26:27 -0700 


Try shutting down "proxy arp"  (atleast on EXT ROUTER) on these routers. If you have 
Cisco
routers for interface connected to Firewall do:

no ip proxy-arp

Proxy arp is ON  by default on Cisco routers, so it can answer for any unknown 
destination
and start routing packets without knowing you. I saw this wierdness few months back 
when
routing was random, even machine is directly connected to FW interface network and
specific routes are defined to it. Cisco proxy arping is trying to screw things 
sometimes.

Note: Make sure you are not using proxy arp accidently. What I mean here is at your
10.1.1.x network, you have all routes defined properly.

Like default -> Inet router  etc. 
I guess turning OFF proxy arping on (EXT ROUTER) is safe , but use caution for (INT
ROUTER), it may break something if you are unknowingly using proxy arp.

Hope this helps.

Rajeev

"Sprickerhoff, Eldon" wrote:
> 
> Recently discovered something very odd about the PING activity from one of
> my firewalls.
> 
> The network looks as follows:
> 
> EXT ROUTER ----------- FIREWALL ---------------INT ROUTER -------- 10.1.1.x
> 
> 
> If I try, from the firewall, to ping 10.1.1.1, it sends traffic through the
> external interface.  However, if I fwstop the firewall, it sends traffic
> through the proper (internal) interface.  I can ping the internal router
> either way - the problem only arises when I try to get one (or more) hops
> beyond.
> 
> The firewall object itself doesn't have NAT established, and the interfaces
> are properly configured.  ICMP is configured as Before Last.
> 
> Any hints would be appreciated.
> 
> EWS
> 
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================

-- 
#########################################################################
 (Titanic creators used Linux to simulate the sinking of the great ship)
######################################################################### 
                    Rajeev  Kumar ([EMAIL PROTECTED])
        Fluent Inc. 10, Cavendish Court, Lebanon NH-03766
-------------------------------------------------------------------------
Phone :: (603)-643-2600 x 349    Fax :: (603)-643-3967
                Web:: http://www.fluent.com 
#########################################################################


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to