Firewall Wizards mailing list archives
Re: Working with NAT on FW-1 on NT
From: Ng Lup Houh <luphouh () ncs com sg>
Date: Thu, 03 Dec 1998 23:23:24 +0800
You can make the firewall publish the ARP entry for the translated address (proxy ARP). This is "cleaner" and more scalable than adding static host routes on the router. Unfortunately, the ARP command in NT cannot create a proxy ARP entry like most Unixes. The "ARP -s" command that you used has only created a static entry in the ARP table for your firewall's external interface; it does not make the firewall answer ARP resolution requests from the router on behalf of 195.100.3.3. To achieve this, create a file %SystemRoot%\fw\state\local.arp with one line like this: 195.100.3.3 <mac-address-of-the-external-interface-of-the-firewall> That's it. Hope this helps, --- lup houh PS. I suggest that specific configuration questions on Firewall-1 be posted on the Firewall-1 mailing list. http://www.checkpoint.com/services/mailing.html Riccardo Fontana wrote:
Does anyone know how to fix this FW-1 configuration ? I have a firewall-1 installed on an NT server (ver 4.0, SP3 and a bunch of hotfixes). Behind the firewall is a network with illegal addressing policy. I should export an internal server outside the firewall using NAT rules. Example: Route internal Addr.: 195.100.3.1 /27 Firewall External Addr.: 195.100.3.2 /27 Firewall Internal Addr.: 192.168.1.1 /24 Server Real Addr.: 192.168.1.2 /24 Server translated addr.: 195.100.3.3 /27 To configure the firewall I follow the Firewall-1 Guide, so I create an object for the internal server with its real address and assign a Valid IP address to it by means of the "Add automatic Address Translation Rules" (option STATIC) (ADDRESS TRANSLATION menu). I am also defining a rule in order to let the right traffic pass through the firewall to reach the server: Source Destination Protocol ACTION ANY INTSERVER SMTP Accept Then, I add the following static route: route add 195.100.3.3 mask 255.255.255.255 192.168.1.2 Finally, I add the following: ARP -s 195.100.3.3 <mac address> 195.100.3.2 (where mac address is the real MAC Address of my network adapter) Now, I expect that if the router connected to the firewall gets a packet with destination addr = 195.100.3.3, it will route it to the firewall and, obviously filtered to the internal host. The problem is that the traffic packets never reach the external interface of the firewall because the router cannot associate the translated address to the firewall. After trying a lot of different configurations, I found that the only way to made it work correctly is to add a static route on the router to make it point to the firewall: IP ROUTE 195.100.3.3 255.255.255.255 195.100.3.2 (This option works also without adding any ARP entry on the NT machine) Firewalls GURUs is it a clean solution ? Any hints ? Thanks in advance -- Riccardo Fontana Intesis SECURITY LAB Phone: +39-2-671563.1 Via Settembrini, 35 Fax: +39-2-66981953 I-20124 Milano ITALY Email: rfontana () seclab com
-- Ng Lup Houh ~{NiA":@~} PGPkey @ http://www.ncs.com.sg/home/luphouh/ Info Tech Security Centre 81 Science Park Drive luphouh () ncs com sg National Computer Systems #04-03/04 Chadwick Bldg Tel: +65-870-5143 http://www.ncs.com.sg/ SINGAPORE 118257 Fax: +65-774-5812
Current thread:
- Working with NAT on FW-1 on NT Riccardo Fontana (Dec 01)
- Re: Working with NAT on FW-1 on NT Ng Lup Houh (Dec 03)
- Re: Working with NAT on FW-1 on NT Erik Schetina (Dec 08)
- RE: Working with NAT on FW-1 on NT Joe Ippolito (Dec 09)
- <Possible follow-ups>
- RE: Working with NAT on FW-1 on NT Martijn Berlage (Dec 02)