[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] local.arp changes still not picked up
Couple of thoughts on this one: How about putting static arp entries on the router? - much better performance on heavily used sites/addresses, with no flaky local.arp behaviour. As far as i know this can e done all virtually all Cisco routers.Basically the router then knows exactly which hardware address to send traffic to,without even having to do an arp for it. When the FW-1 local.arp file is used the router needs to pull the details off the firewall's disk, and this will have a performance hit. If you must use the local.arp file - maybe the router is not managed by you - always create and edit it at the NT command line("dos" box), and hit return after the last line - this seems to give more reliable results in my experience anway. Also, pay close attention to the case etc, if it ain't right it just won't work! HTH, Matt Day -----Original Message----- From: [email protected] [mailto:[email protected]]On Behalf Of Bill McCabe Sent: 07 September 2000 15:37 To: [email protected] Subject: RE: [FW1] local.arp changes still not picked up I had the ARP table on the router flushed, and am having the local.arp entries double-checked by a different person (I support this remotely, so can not currently check it myself). Will stop and start again tonight. Thanks again for everyone's suggestions. Bill At 10:05 AM -0400 9/7/00, Rick Camp wrote: >Bill, > >I ran into this problem about a year ago with an NT 4.0 firewall. I am not >sure as to the cause, but I did find a work around. > >We were using a Cisco 2524 router and by clearing the arp tables, it would >then pick up the new information from the local.arp file. I believe the >commands are show arp to look at the table and clear arp to clear it out and >you must be in enable mode on a Cisco router to clear the arp table. Maybe >someone with more router experience can confirm if I am remembering the >correct commands. > >If you can't telnet into your router you could try powering it off and back >on, but I don't know if that will solve the problem, and I don't know if you >are in a situation where you can down your router. > >I hope this helps. > >Rick > >_______________________________________ >Rick Camp >Welsh Consulting >31 Milk Street, Suite 805 >Boston, MA 02109 >Tel >Fax >[email protected] >www.welsh.com > > >-----Original Message----- >From: Bill McCabe [mailto:[email protected]] >Sent: Wednesday, September 06, 2000 10:54 PM >To: [email protected] >Subject: [FW1] local.arp changes still not picked up > > > >Sadly, the new proxy ARP entries still didn't take after a fwstop/start, >and even a reboot. The old one still works fine. The network objects and >rules are patterned identically to the working one, which was set up >according to the instructions in the Phoneboy FAQ. I clearly must be >missing something, unless it has to do with the limitations of Windows NT >4.0 Workstation, or the fact that the internal NIC is Token Ring. Any >suggestions or leads would be greatly appreciated. > >Bill > > >At 1:16 PM -0400 9/6/00, Bill McCabe wrote: >>Thanks for all the replies. I will bounce the firewall when I get the green >>light from above. I couldn't remember whether I had restarted the FW >>service last June when I added the prior static mapping. Since the Phoneboy >>FAQ says: >> >> >>>In Windows NT, the 'arp' command will not function in this manner. Version >>>2.1c and later of FireWall-1 will do the proxy arps for you. You must >>>create a file called %SystemRoot%\fw\state\local.arp (case matters!), >>>which is formated as follows: >>> >>>translated_ip_address mac_address >>> >>>In the example above, this file would contain: >>> >>>206.99.98.50 08-00-20-76-ea-77 >>> >>>Once you've set this file up, you will need to re-install the current >>>rulebase. >> >> >>I was hesitant to restart it for no reason. I naturally assumed I had made >>an error somewhere. >> >> >>Bill >> >> >> >> >>== ========================================================================= >==== >>= >> To unsubscribe from this mailing list, please see the instructions at >> http://www.checkpoint.com/services/mailing.html >>== ========================================================================= >==== >>= > > > > > >=== ========================================================================= >==== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html >=== ========================================================================= >==== ==== ============================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ==== ============================================================================ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|