[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] I hate local.arp
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Besides the already mentioned anti-spoofing, there is something else to check. I assume you created an object with the internal IP address and set static NAt on it. Have you also created an object with the virtual (external, natted) IP address and use that in your rules? Frank > -----Original Message----- > From: Dan Hitchcock [mailto:[email protected]] > Sent: Friday, September 08, 2000 3:14 PM > To: FW-1 Mailing List (E-mail) > Subject: [FW1] I hate local.arp > > > > Okay, so I see now why local.arp is such a bummer. > > #1 - It does not work correctly. > #2 - see #1. > > Per postings over the last couple weeks (I've saved them all) > and Checkpoint > docs, I have tried to create the local.arp using nearly all > permutations of > space vs. tab between IP and MAC, dashes or colons in MAC, > WordPad, Notepad, > or DOS EDIT as editor, etc., all with no luck. My static > route in NT is > there. I've created a workstation object with the internal > IP address, and > (per Checkpoint documentation), added an automatic static > translation rule > to the object using the NAT tab (I also tried creating the NAT rule > manually). I have stopped and started the firewall numerous > times during > these, both from the command line and the Services control > panel. I've > rebooted ad nauseum. > > The symptom is always the same - when trying to connect to > the internal Web > server via the NAT, the browser IMMEDIATELY returns a "page cannot > be displayed" error. This happens from various locations with > different browsers. I see the packet accepted in the log, along > with the correct translation information. If I PING the ARPed > address from another machine on the same segment as the outside of > the firewall, a correct IP/MAC pair appears in the ARP table on > the machine, put the PING times out. I can PING the "real" > address of the outside of the firewall without issues. > > Why is this so hard? Someone please point out my stupidity > and improve my > quality of life by providing the magic answer. "Obvious" > suggestions are > more than welcome. > > Thank you very very very very much. > > Dan Hitchcock > CCNA, MCSE > Network Engineer > Xylo, Inc. (formerly employeesavings.com) >> The work/life solution for corporate thought leaders > > > > ============================================================== > ================== > To unsubscribe from this mailing list, please see the > instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================== > ================== > -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.1 Comment: PGP or S/MIME (X.509) encrypted email preferred. iQA/AwUBObld/kRKym0LjhFcEQKTTwCg6v8llH/Iti5mkNmwHYZf3ew0ILgAoPlc mkzT7VQeNhhO5e0jcXuthsgK =jVnz -----END PGP SIGNATURE----- ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|