NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Hiding NAT with Proxy ARP

  • To: [email protected]
  • Subject: Re: [FW-1] Hiding NAT with Proxy ARP
  • From: "Laidlaw, Rob" <[email protected]>
  • Date: Sun, 24 Aug 2003 21:09:53 -0500
  • Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
  • Sender: Mailing list for discussion of Firewall-1 <[email protected]>
  • Thread-index: AcNqdseC+TY0l7dBSwSblkey08nGZQANR+ZA
  • Thread-topic: [FW-1] Hiding NAT with Proxy ARP
I have this setup and I actually like it better.  I have a firewall with a private address on both internal and external, the external has a /30.  I then have a black hole route on the firewall for the public subnet that we use for our nats.  I have redistributed that public route into our OSPF domain.  With this setup there is no need for any type of proxy arps.  The only requirement is to make sure that the network devices in front of the firewall all have a route for that subnet pointing toward the firewall.

I like this setup better because it removes the problems associated with arp timeouts and setting up the proxy arps.  I find it just as secure if not more so because everything gets handled at layer 3 on the external side.
As far as ip's that have not been defined, they get dropped by the cleanup rule in checkpoint, and even if they didn't, the route to /dev/null drops them anyway.  I also have used this setup with my pix and a Linux firewall running iptables and it works great on those platforms as well.


Rob Laidlaw
Senior Network Engineer
EnvestnetPMC

-----Original Message-----
From: Markus Hofbauer [mailto:[email protected]]
Sent: Sunday, August 24, 2003 2:24 PM
To: [email protected]
Subject: [FW-1] Hiding NAT with Proxy ARP


Hi,

I'm sure most of the guy's on this list know that it's possible to use a
differtent IP address than the Firewall-IP address for Hiding NAT:

         10.1.1.0/24
         --------------
                 |
                 | Hiding-NAT for
                 | 192.168.0.0/24 & 192.168.1.0/24: 10.1.1.2
                 |
                 |10.1.1.1
          /-------------\                                 192.168.1.0/24
         |       FW      |-------------------------------------------------
          \-------------/
                 |192.168.0.1
                 |
         -------------------
         192.168.0.0/24


This works fine on Solaris. Last week I notices that this scenario does not
work any more on SecurePlatform AI ClusterXL (New Mode HA Broadcast).

Started some debugs and found out that the active machine does not answer
the arp-requests for the address 10.1.1.2. Double checked the arp entry on
the machine (created with arp -s 10.1.1.2 <HW-Address> pub).

After some searches through the lists I found out that a route to the
destination
is necesary to get this working.
e.g. route add -host 10.1.1.2 gw <destination>

Hmm...

How to set this route in the network-topo shown above? There is no clear
destination...

I've tried to set an interface-route: route add -host 10.1.1.2 dev eth0
This seems to work but I'm sure this is not the official solution for this.

Has anyone this kind of config up and running? Thanks for any hints.

Greetz,
Markus

--
Markus Hofbauer, IT-Service / Security
Bacher Systems EDV GmbH, Wienerbergstr. 11B, A-1101 Wien, Austria
phone: +43 (1) 60 126-34 | fax: +43 (1) 60 126-4
e-mail: [email protected] | web: www.bacher.at



=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
Disclaimer - 08/24/2003
This information in this email is confidential and may be legally privileged. It is intended solely for Mailing list for discussion of Firewall-1.  Access to this Internet email by anyone else is unauthorized.

EnvestnetPMC, Inc. does not accept time-sensitive transactional messages, including orders to buy and sell securities, account allocation instructions, or any other instructions affecting a client account, via e-mail.

If you are not the intended recipient of this email, any disclosure, copying, or distribution of it is prohibited and may be unlawful.  If you have received this email in error, please notify the sender and immediately and permanently delete it and destroy any copies of it that were printed out.  When addressed to our clients, any opinions or advice contained in this email is subject to the terms and conditions expressed in any applicable governing EnvestnetPMC terms of business or agreements.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================


 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.