If you are on NT you have to setup the ARP using the local.arp file:
make the file $FWDIR/state/local.arp the format for the file should be:
<external ip of mailserver> <mac add. fw ext. interface>
If you are on Solaris... you do an arp command:
arp <external ip of mailserver> <mac add. fw ext. interface> pub
(..remember though that when you reboot the arp entry on Solaris goes bye
bye.. so put this statement in a startup file (like
/etc/rc3.d/S99ArpEntries):
/usr/sbin/arp <external ip of mailserver> <mac add. fw ext. interface> pub
:)
Amin Tora
ePlus Technology
http://www.eplus.com
NASDAQ: PLUS
-----Original Message-----
From: Stephen Hunt [mailto:[EMAIL PROTECTED]]
Sent: Monday, January 08, 2001 9:08 AM
To: [EMAIL PROTECTED]
Subject: [FW1] problems setting up a NAT
Hello all,
I am trying to setup a NAT for an internal mail server. My existing
policy
covers outbound connections from the mail server out to the internet,
but I cannot reach it from the internet back inside. I followed the
documentation on setting up a static NAT, creating an object for the
internal mail server and also for the external interface. The real IP
is different from the external IP of the firewall, so I was sure to
put in the recommended arp statement so the router upstream will know
how to get to it. So, now I can route to it, but I can't get anything
through the firewall inside to the mail server. Here's what my policy
basically looks like:
1 Source: <mailserver-internal, with static NAT to external>
Destination: Any
Services: Any
Action: accept
Install on: Gateways
2 Source: <entire internal network>
Destination: Any
Services: Any
Action: accept
Install on: Gateways
3 Source: Any
Destination: <mailserver-external, with static NAT to internal>
Services: Any
Action: accept
Install on: Gateways
4 Source: Any
Destination: Any
Services: Any
Action: drop
Install on: Gateways
Is this correct? Of course I'll tighten down the services later, but I
want to make sure it works first. On top of this I have added a route
as such:
route add <external IP of mailserver> <internal IP> 1
and updated the arp table with <external IP of mail server> with
<external MAC
address of fw>. The external IP of the mail server is different from
the
external IP of the firewall.
This ought to be simple, right? Also, I don't have split-DNS on the
firewall
yet, but that shouldn't affect this basic routing/NAT config?
Well, this is driving me nuts, I hope you guys can help.
Thanks!
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
