The following was taken directly from CheckPoint's knowlede base.
A note on:
#1: The FWSTOP and FWSTART need only be done once the local.arp file, and
route has been added.
#2: The local.arp must reside in the FWDIR\state direcroty. That is where
CP looks to setup the arp entry in NT as NT has no ability to add
static/permanent arp entries.
#3: The MAC should be separated by dashes as indicated here. This does
work. Other methods may work, but clearly this is the stated method.
#4: The route is technically not necessary if the IP address is on a
network directly connected to an interface on the firewall if your firewall
is doing inbound inspection. The route is, however, necessary if your
rulebase is doing eitherbound/outbound inspection. In any case it is wise
to add the route with -p. The syntax is:
x.x.x.x 255.255.255.255 y.y.y.y where x.x.x.x is the outside address and
yyyy is the inside address. The mask is 32 bit and indicated a 1:1 route.
Before you install the policy check to see if you can ping. If your
firewall is not answering you may have another problem. Recheck the ARP and
clear the ARP on the router if it has not cleared itself.
If, from the out side you can ping. Add the appropriate rules and push the
policy. To test you should allow ping temporarily.
The rules should read
Source Dest Service Action
ANY* Outside IP ANY* Accept
Inside IP ANY* ANY* Accept*
*whatever you determine
The NAT rule should read:
Source Dest Service Xlate Src Xlate Dest
Service
Inside IP ANY ANY Outside IP Original
Original
Any Ourside IP ANY Original Inside IP
Original
You should try not to use Windows text editors as additional control
characters may be added. Also the file must be named exactly as it is
below.
Solution: How to set up Static NAT on Windows NT 4.0
(bec3aa04-5792-11d4-8a94-080020cf9075) Set up Static NAT for Windows NT 4.0
as follows:
1. Run fwstop from $FWDIR\bin
2. From the command prompt, create a file called local.arp in $FWDIR\state
3. In local.arp, input the valid IP address being used for the static NAT
followed by a space and the MAC address of the external NIC card (All on the
same line. The sets of numbers and/or letters used in the MAC address should
be separated by dashes)
4. After saving local.arp, add a route to the operating system by opening a
command prompt and running the command:
route add -p <valid address> <invalid address>
5. Open the security policy editor, create a new workstation object for the
machine being NATed
6. Input the pertinent information on the general tab (name and IP), then
click on the NAT tab
7. Click "use automatic translation rules", set the mode to static, input
the valid IP address behind which the machine is being NATed, and choose
install on "all"
8. Run fwstart from $FWDIR\bin
9. Install the policy from the security policy editor
Rob Cryan
Solutions Integration Manager
infinitespace.com
Two Westborough Business Park
Westborough, MA 01581
Office: 508.870.4714
-----Original Message-----
From: Aaron Wheeler [SMTP:[EMAIL PROTECTED]]
Sent: Tuesday, July 11, 2000 8:05 PM
To: Fw-1-Mailinglist (E-mail)
Cc: 'eric'
Subject: RE: [FW1] Local.arp file
Eric,
Thanks for the tips on local.arp files.
I have been having problems with the static arp entries on a NT FW-1
install
I am doing for a customer. I have created a local.arp file
containing
entries for all the Internet Servers, but it doesn't seem to take
affect. If
I manually add the arp entries in NT using the "arp -s" command, the
firewall starts working correctly, but these entries are deleted on
reboot.
I think I may have been editing the arp file using notepad, so this
may have
been my problem, however I have differing information concerning the
location of the local.arp file. The most common one is:
%SystemRoot%/fw/state/local.arp
Is this the correct location?
Thanks in advance,
Aaron.
-----Original Message-----
From: eric [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, 5 July 2000 5:58
To: John Qian; 'Flavio Muscetra'
Cc: Fw-1-Mailinglist (E-mail)
Subject: RE: [FW1] Local.arp file
When you create the local.arp don't forget to do it from dos edit.
notepad
screws these up. and press tab between the ip and external mac.
eric.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of
John
Qian
Sent: Monday, July 03, 2000 1:11 PM
To: 'Flavio Muscetra'
Cc: Fw-1-Mailinglist (E-mail)
Subject: RE: [FW1] Local.arp file
Hi Flavio,
Why not trying to reverse the order of route entry in local.arp ?
like:
A.B.C.z pp-cc-gg-hh-kk
John Qian
-----Original Message-----
From: Flavio Muscetra [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 03, 2000 9:32 AM
To: Julian Bain
Cc: Fw-1-Mailinglist (E-mail)
Subject: Re: [FW1] Local.arp file
----- Original Message -----
From: Julian Bain <mailto:[EMAIL PROTECTED]>
To: 'Flavio Muscetra' <mailto:[EMAIL PROTECTED]>
Cc: Fw-1-Mailinglist
<mailto:[EMAIL PROTECTED]>
(E-mail)
Sent: Monday, July 03, 2000 6:23 PM
Subject: RE: [FW1] Local.arp file
You also need a static route in the NT box directing packets back to
the web
server. Use route add -p command:
route add -p A.B.C.z 10.10.11.x
Also, to enable your proxy arp entry you must stop and start the
firewall
Julian Bain
I have yet this configuration but it doesn't work. Is it mandatory
to set
something on the router (static route)?
Thanks,
Flavio
-----Original Message-----
From: Flavio Muscetra [ mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> ]
Sent: Monday, July 03, 2000 11:00 AM
To: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
Subject: [FW1] Local.arp file
Importance: High
I'm configuring a FW-1 4.0 (SP5) on a NT box 4.0 SP6a with 3
adapters:
* one is external A.B.C.0/24
* one is for DMZ 10.10.11.0/24
* one is for the internal LAN 10.10.10.0/24.
The DMZ and the internal LAN are private nets.
I've a web-server on DMZ (10.10.11.x) with aa-bb-cc-dd-ee MAC
address.
This web server is known in internet with A.B.C.z address.
The external interface of the firewall is A.B.C.y with MAC
pp-cc-gg-hh-kk
To reach the webserver i put in the local.arp file the following
line:
pp-cc-gg-hh-kk A.B.C.z
It doesn't work! Anyone one knows if there's a bug in the FW-1 proxy
arp?
Or maybe I made a mistake?
Thanks in advance,
Flavio
============================================================================
====
To unsubscribe from this mailing list, please see the
instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
