[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] secure platform small office
Hi i have a small issue with this product, we have 3 interfaces, one to the outside world x.x.xxxx.90,and two internal ones. what we are trying to achieve is for smtp traffic to be routed to the internal mail server. the MX record points to xxxx.xxxx.xxxx.91 internal ip 192.168.2.11 we would also like for traffic to and from our dmz to be redirected to our internal net and visa versa. we were given a solution by Checkpoint but this doesn't work. the solution is shown below. does anyone know of or have documentation on VPN1/SmallOffice that i can have or know whether the solution below can only work once a policy has been pulled Many thanks in advanced. Wycliffe. Abstract: NAT & ARP on Secure Platform Dear Wycliffe, Here is a solution for you issue. Fact Firewall-1 NG Fact VPN-1 NG Fact Secure Platform Fact Red Hat Fact Linux Fact Network Address Translation (NAT) Fact proxy ARP Fact Automatic ARP Symptom Automatic ARP does not work on Linux Click here to learn more about Automatic ARP. Cause Linux kernel 2.x will not proxy ARP for an IP address for which it does not have a route. (It is a security feature of the OS.) Fix The NG Automatic ARP feature is not supported on Linux platforms. Workaround: These steps are applicable to Linux kernel version 2.x, including Check Point's Secure Platform. 1) Configure the Linux kernel to enable proxy arp using the following command: echo 1 > /proc/sys/net/ipv4/conf/<if_name>/proxy_arp ...where <if_name> is the name of the external interface, for example: eth0 This command should be added to one of the startup scripts, such as rc.local, in order to survive a reboot. 2) Add a host route for the Static NAT ip address using the internal ip address of the host (or next hop) as the gateway: route add -host <Static_NAT_ip_addr> gateway <internal_ip_addr> This should also be added to a startup script, or in the case of Secure Platform, a permanent route can be added using the sysconfig utility. 3) The above 2 steps should be sufficient to enable proxy arp to function for your Static NAT configuration, since the linux kernel is designed to be intelligent enough to proxy arp for ip addresses in its routing table. However, if it becomes necessary to add a proxy arp entry, use the following command: arp -s <Static_NAT_ip_addr> <FireWall_external_MAC_addr> pub ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|