| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [FW1] Nated machines can't access Internet
Cisco have a "port Security" function on some of their routers, ie a static
ARP entry for a specific port. If this function is enabled, then it would
have to be manually changed, not simply done by re-booting the router....if
that's available on the router.....if the router is the appropriate model
cisco.....my 0.02c worth
Ash
"Robert MacDonald"
<[email protected]> To: <[email protected]>, <[email protected]>
Sent by: cc: <[email protected]>
[email protected] Subject: RE: [FW1] Nated machines can't access Internet
kpoint.com
20/02/2001 07:50 AM
Steven,
Wouldn't running 'clear arp-cache' on the router be much
faster?
Robert
- -
Robert P. MacDonald
Global Infrastructure Group, Haworth, Inc.
Voice:email: [email protected]
>>> Steven Zimmerman <[email protected]> 02/19/01 10:09AM >>>
>
>First thing I would do is reboot you ISP router after putting the new
>firewall in place. The ISP router will have the MAC address of you old
>server cached (default is 3 hours on Cisco) and it will try to send all
>packets to that old MAC.
>
> -----Original Message-----
>From: CryptoTech [mailto:[email protected]]
>
>Annette,
>Since this is an upgrade on a separate server, a few questions come to
mind.
>Have you removed the old config so that the new setup will be the proper
>defaultroute for internal hosts?
>Validation of proper published mac addresses is a plus
>Check the network properties TCPIP ->routing table to enable ip
>forwarding/routing.
>
>HTH,
>CryptoTech
>
>Annette Tenney wrote:
>
>> Am running FW-1 ver. 4.0. Upgrade planned on different server. Have
>> installed NT on new machine and imported the rulebase and configuration
>> files from the old machine which is currently in use. Have modified the
>> route table on the new machine to match the old machine. Have created
the
>> local.arp file. Checked in the configuration GUI that the external
>interface
>> was pointing to the correct card. On the firewall network object did a
get
>> for the interfaces which succeeded. Installed the policies.
>>
>> Have new machine on test network with DNS. Have not tried the upgrade
yet.
>> Firewall can get name resolution, can ping machines on internal network
>and
>> DMZ by both true IP address and nated address. Internal machines with
>nated
>> address can not get name resolution (DNS acting as machine outside
>> firewall), machines internal with hidden address can get resolution.
>Machine
>> on DMZ, with nated address can not get resolution. External machine can
>not
>> get to web server on DMZ. Have disabled all rules in rule base and added
>> rule any any any allow. Psuedo rules set to allow anything. Turned off
IP
>> address spoofing.
>>
>> What have I missed?
>>
>> Thanks for your help.
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
|
|
