[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] FTP nat'ed on FP3 /take2

To: [email protected]
Subject: [FW-1] FTP nat'ed on FP3 /take2
From: Andre Faille <[email protected]>
Date: Wed, 13 Nov 2002 17:10:32 -0500
Importance: Normal
In-Reply-To: <[email protected]>
Reply-To: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

OK so...

tried the "perform translation on client side", no go...
tried the %FW1%/conf/local.arp (in my case %FW1%/NG/conf/local.arp)... no go
tried the fwparp <new public IP> <ext int of firewall IP>...and got:

Failed to add proxy arp entry for (ext internet ip) on if (fw ext ip)
error 1450 - insufficient system resources exists to complete the requested
service.

With a dual-processor machine with 2 GIG of RAM running only Checkpoint
FW1-NG1, this doesn't sound right.

Also, tried doing a cpstop first... same reply.
Also checked the "Routing & Remote Access", nothing configured and.... Also
checked the registry, "IPEnableRouter" is at 1.

What's next...come back to FP1?
Any ideas welcome.....

Thanks,
Andre Faille

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[email protected]]On Behalf Of Ivan
Vassileff
Sent: November 13, 2002 3:26 PM
To: [email protected]
Subject: [FW-1] R�f. : [FW-1] FTP nat'ed on FP3


Hello

The way fw1 handles static destination nating has been modified
significantly before and after fp3

Action 1 : identify the kind of nating you use and the associated
operations you may need to perform :
manual NAT (rules written manually in the nat window) or automatic  NATed
(workstation nated) ?

If automatic => go and check in Policy/global properties/Nat to see if a
tickmarck is placed on your "perform translation on client side" for
automatic nat.
By itself in FP3, it should take care of ARP proxying, Routing and
antispoofing as it did in FP2.
The added value of FP3/FP2 is that for ARP proxying on W2K you should not
need the program fwparp.exe anymore . But this still needs to be verified
;-)

If manual => go and check in Policy/global properties/Nat to see if a
tickmarck is placed on your "perform translation on client side" for
manual nat. By itself in FP3, it should take care of ARP proxying, Routing
and antispoofing
The added value of FP3/FP2  is that it previously did NOT exist in FP2.
It should work fine with the possible exception on the arp proxying on w2k
issue mentionned above.

Action 2 : if it still does not work then we come back to our arp proxying
on w2k issue.

In FP3 you are supposed to create a new file called %FW1%/conf/local.arp
with the following syntax
<new public IP> <tab> <external interface of firewall MAC address>
Once done you cpstop and cpstart your firewall.
It might work.

If it still does not, to cure this in FP2, you had the program fwparp.exe,
that you can find on checkpoint site, as previously mentionned in that
list.
This program has an interesting syntax  : fwparp <new public IP> <external
interface of firewall IP - AND NOT MAC>, It checks then the MAC
associated.
You might give it a try as a backup solution.

Anyone comments, criticisms, better tricks ?

Ivan





Andre Faille <[email protected]>
Envoy� par : Mailing list for discussion of Firewall-1
<[email protected]>
13/11/2002 20:45
Veuillez r�pondre � Mailing list for discussion of Firewall-1


        Pour :  [email protected]
        cc :
        Objet : [FW-1] FTP nat'ed on FP3

Hi,

can anyone help? I upgraded and my FTP server in not available anymore
from
the internet...

FW1-NG1 ugraded from FP1 to FP3
on Windows 2000
DMZ address 10.10.10.2 255.255.255.248

FTP server in DMZ
10.10.10.1 255.255.255.248
nat'ed to outside (internet) address, static mode




Thought it might be either the TOPOLOGY missing in the FW for the FTP
configuration or the
FTP protocol (I added ftp-bidir & ftp_mapped), still no reply from my FTP
server from outside???

Any ideas??

Thanks,
Andre Faille

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- Re: [FW-1] FTP nat'ed on FP3 /take2
  - From: Efes <[email protected]>

References:
- [FW-1] R�f. : [FW-1] FTP nat'ed on FP3
  - From: Ivan Vassileff <[email protected]>

Prev by Date: Re: [FW-1] Macintosh VPN Client
Next by Date: Re: [FW-1] SecuRemote DHCP
Prev by thread: [FW-1] R�f. : [FW-1] FTP nat'ed on FP3
Next by thread: Re: [FW-1] FTP nat'ed on FP3 /take2
Index(es):
- Date
- Thread