[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Linux, VPN and ARP
Check through either sysctl -a or by viewing /etc/sysctl.conf to see if you are allowing for the proper kernel module to issue answers to proxy arp requests. (6.2 configuration, 6.1=/etc/sysconfig/*) > -----Original Message----- > From: [email protected] > [mailto:[email protected]]On Behalf Of > [email protected] > Sent: Wednesday, May 09, 2001 3:46 AM > To: [email protected] > Subject: Re: [FW1] Linux, VPN and ARP > > > > > > Hi Mike, > > [1] > yes, the NAT pool addresses are out of the same segment that the > firewall is > connected to (LAN). > > [2] > Do I get you right? You have it working and using a separet > network for the pool > (gateway for routing is set to the firewall)? > But how can I do it when I "wish" to use addresses out of my LAN? > Independent from your above solution the "main" question is: why > does my linux > box not answer to a arp request on the same segment? If I can get this one > working I´m sure everything else will work... > > Regards, > Marco > > > > > > "Mike Thomi" <[email protected]> am 08.05.2001 23:45:10 > > An: [email protected] > Kopie: (Blindkopie: Marco Rossi/asap) > > Thema: Re: [FW1] Linux, VPN and ARP > > > > > > Hi > > IP NAT Pool: > --------------- > Do you use addresses from the same net segment like the firewall has its > interfaces on? > > I have never added any arp entries for my sr clients.....I am using a > private /24 net for the IP NAT thingy. Important is, that your inside > servers must know the way back to your virtual "IP NAT Pool"-net (the sr > entrypoint) and the "IP NAT Pool"-net shouldn't be in the > encryption domain. > > regards, > mike > > ----- Original Message ----- > From: <[email protected]> > To: <[email protected]> > Sent: Monday, May 07, 2001 8:04 PM > Subject: [FW1] Linux, VPN and ARP > > > The task is realy easy: > > Enable FW-1 to accept SecuRemote connections. The firewall (gateway) > itself runs > > on RedHat 7.0 and SecuRemote on W2k. > > I´m able to connect to the firewall over the internet but it is > IMPOSSIBLE > to > > reach resources on the LAN when I use "IP NAT Pool" > > > > What my Reseller told me was that for IP NAT-Pool the IP > addresses have to > be > > "put" on the internal interface by either "local.arp" for > Windows (not in > my > > case) or "arp -s <ip> <mac> -i eth1 pub". But the arp stuff doesn´t work > out. > > Though my linux box accepts the command, replies to e.g. a PING from the > > SecuRemote Client reaches the destination but the answer > doesn´t come back > (I > > traced it down so I could see that the arp request wasn´t > answered by the > > firewall). > > > > Can anybody tell me why the linux box doesn´t reply on the arp > request (FW > and > > Linux box are on the same segment)? > > Is this a linux thing? > > > > The only workaround I found was to "put" the ip addresses on the > interface. > > But what if I need a pool of e.g. 200 addresses - is the linux kernel > capable to > > handle that much on one NIC? > > > > Maybe I´m missing something... so I would be glad if anybody > could give me > a > > hint. > > > > Regards, > > Marco > > > > > ================================================================== > ============== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================== > ============== > > > > > > > > > ================================================================== > ============== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================== > ============== > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|