[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Linux, VPN and ARP
Hi Marco ----- Original Message ----- From: <[email protected]> To: <[email protected]> Sent: Wednesday, May 09, 2001 10:46 AM Subject: Re: [FW1] Linux, VPN and ARP > [2] > Do I get you right? You have it working and using a separet network for the pool > (gateway for routing is set to the firewall)? Right, the separet network for the pool is virtual on the firwall... and your servers need to know how to find back the way for that net to the firewall > But how can I do it when I "wish" to use addresses out of my LAN? You should use addresses which aren't used on your LAN example: internally you are running 192.168.10.0/24 your ip nat pool should be another net like 192.168.20.0/24 perhaps........and your sr destinations should be able send packets from 192.168.20.0/24 back to the firewall. IP NAT pool stuff works like that: - sr client1 auth - sr client1 wants to ssh to a server - fw makes a virtual nat rule <official sr client ip> <dest server> port 22 | <dynamic assigned IP NAT pool address for sr client1> <dest server> port 22 - packet goes to dest server with source <dynamic assigned IP NAT pool address for sr client1> - server sends back packet with dest <dynamic assigned IP NAT pool address for sr client1> to the firewall the firewall itself listen to replies for the <dynamic assigned IP NAT pool address for sr client1> and sends it encrypted back to the <offical sr client ip> For that you don't need any arp entries. Arp stuff is interesting for inward forwarding like for the management station, which is used for topology downloads. Or if you want hide your real firewall IP address in web/ftp logs and using a second address for outgoing traffic for your internal clients (www/ftp) Then you have to arping around on your border router and the firewall. [email protected] told some time ago something about a tool called "tarpd" [... The syntax is: tarpd <ifname> <ipaddress> <netmask> & where <ifname> is the interface you want the proxy to appear on <ipaddress> is the proxied address <netmask> I normally set to 255.255.255.255 My script file looks something like this: #!/bin/sh # # Proxy address for ftp server tarpd eth0 123.456.789.111 255.255.255.255 & route add -host 123.456.789.111 gw 987.654.321.999 metric 1 # etc... ...] > Independent from your above solution the "main" question is: why does my linux > box not answer to a arp request on the same segment? If I can get this one > working I´m sure everything else will work... ... Play around with tcpdump regards, mike ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|