| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FW-1] secure platform small office
- To: [email protected]
- Subject: [FW-1] secure platform small office
- From: Wycliffe Sylvester-Fraser <[email protected]>
- Date: Wed, 5 Mar 2003 17:46:13 -0000
- Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
- Sender: Mailing list for discussion of Firewall-1 <[email protected]>
- Thread-index: AcLjMGYpI3U08tSbTn62gMowgMFsAAADNlSA
- Thread-topic: Re: [FW-1] Backing up secureplatform
Hi i have a small issue with this product, we have 3 interfaces, one to the outside world x.x.xxxx.90,and two internal ones.
what we are trying to achieve is for smtp traffic to be routed to the internal mail server. the MX record points to xxxx.xxxx.xxxx.91 internal ip 192.168.2.11
we would also like for traffic to and from our dmz to be redirected to our internal net and visa versa. we were given a solution by Checkpoint but this doesn't work. the solution is shown below. does anyone know of or have documentation on VPN1/SmallOffice that i can have or know whether the solution below can only work once a policy has been pulled
Many thanks in advanced.
Wycliffe.
Abstract: NAT & ARP on Secure Platform
Dear Wycliffe,
Here is a solution for you issue.
Fact Firewall-1 NG
Fact VPN-1 NG
Fact Secure Platform
Fact Red Hat
Fact Linux
Fact Network Address Translation (NAT)
Fact proxy ARP
Fact Automatic ARP
Symptom Automatic ARP does not work on Linux
Click here to learn more about Automatic ARP.
Cause Linux kernel 2.x will not proxy ARP for an IP address for which
it does not have a route. (It is a security feature of the OS.)
Fix The NG Automatic ARP feature is not supported on Linux platforms.
Workaround:
These steps are applicable to Linux kernel version 2.x, including Check
Point's Secure Platform.
1) Configure the Linux kernel to enable proxy arp using the following
command:
echo 1 > /proc/sys/net/ipv4/conf/<if_name>/proxy_arp
...where <if_name> is the name of the external interface, for example: eth0
This command should be added to one of the startup scripts, such as
rc.local, in order to survive a reboot.
2) Add a host route for the Static NAT ip address using the internal ip
address of the host (or next hop) as the gateway:
route add -host <Static_NAT_ip_addr> gateway <internal_ip_addr>
This should also be added to a startup script, or in the case of
Secure Platform, a permanent route can be added using the sysconfig utility.
3) The above 2 steps should be sufficient to enable proxy arp to function
for your Static NAT configuration, since the linux kernel is designed to be
intelligent enough to proxy arp for ip addresses in its routing table.
However, if it becomes necessary to add a proxy arp entry, use the following
command:
arp -s <Static_NAT_ip_addr> <FireWall_external_MAC_addr> pub
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
|
|
