NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Linux, VPN and ARP



Hi Marco

----- Original Message -----
From: <[email protected]>
To: <[email protected]>
Sent: Wednesday, May 09, 2001 10:46 AM
Subject: Re: [FW1] Linux, VPN and ARP


> [2]
> Do I get you right? You have it working and using a separet network for
the pool
> (gateway for routing is set to the firewall)?

Right, the separet network for the pool is virtual on the firwall... and
your servers need to know how to find back the way for that net to the
firewall

> But how can I do it when I "wish" to use addresses out of my LAN?

You should use addresses which aren't used on your LAN
example:
internally you are running 192.168.10.0/24
your ip nat pool should be another net like 192.168.20.0/24
perhaps........and your sr destinations should be able send packets from
192.168.20.0/24 back to the firewall.

IP NAT pool stuff works like that:

- sr client1 auth
- sr client1 wants to ssh to a server
- fw makes a virtual nat rule <official sr client ip> <dest server> port 22
| <dynamic assigned IP NAT pool address for sr client1> <dest server> port
22
- packet goes to dest server with source <dynamic assigned IP NAT pool
address for sr client1>
- server sends back packet with dest <dynamic assigned IP NAT pool address
for sr client1> to the firewall
the firewall itself listen to replies for the  <dynamic assigned IP NAT pool
address for sr client1> and sends it encrypted back to the <offical sr
client ip>

For that you don't need any arp entries.
Arp stuff is interesting for inward forwarding like for the management
station, which is used for topology downloads.
Or if you want hide your real firewall IP address in web/ftp logs and using
a second address for outgoing traffic for your internal clients (www/ftp)
Then you have to arping around on your border router and the firewall.


[email protected] told some time ago something about a tool called
"tarpd"

[...
The syntax is: tarpd <ifname> <ipaddress> <netmask> &
where
     <ifname> is the interface you want the proxy to appear on
     <ipaddress> is the proxied address
     <netmask> I normally set to 255.255.255.255

My script file looks something like this:

#!/bin/sh
#
#  Proxy address for ftp server
tarpd eth0 123.456.789.111 255.255.255.255 &
route add -host 123.456.789.111 gw 987.654.321.999 metric 1
#
etc...

...]

> Independent from your above solution the "main" question is: why does my
linux
> box not answer to a arp request on the same segment? If I can get this one
> working I´m sure everything else will work...

... Play around with tcpdump


regards,
mike




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.