Re: Working with NAT on FW-1 on NT

[Ng Lup Houh <luphouh () ncs com sg>]

You can make the firewall publish the ARP entry for the 
translated address (proxy ARP).  This is "cleaner" and 
more scalable than adding static host routes on the router.

Unfortunately, the ARP command in NT cannot create a
proxy ARP entry like most Unixes. 
The "ARP -s" command that you used has only created
a static entry in the ARP table for your firewall's 
external interface; it does not make the firewall
answer ARP resolution requests from the router on
behalf of 195.100.3.3.

To achieve this, create a file %SystemRoot%\fw\state\local.arp
with one line like this:
195.100.3.3 <mac-address-of-the-external-interface-of-the-firewall>

That's it.  Hope this helps,

--- lup houh

PS.  I suggest that specific configuration questions on
Firewall-1 be posted on the Firewall-1 mailing list.
http://www.checkpoint.com/services/mailing.html

Riccardo Fontana wrote:
> Does anyone know how to fix this FW-1 configuration ?
>
> I have a firewall-1 installed on an NT server (ver 4.0, SP3 and a bunch
> of hotfixes).
>
> Behind the firewall is a network with illegal addressing policy.
> I should export an internal server outside the firewall using NAT rules.
>
> Example:
>
> Route internal Addr.:           195.100.3.1 /27
> Firewall External Addr.:        195.100.3.2 /27
> Firewall Internal Addr.:        192.168.1.1 /24
>
> Server Real Addr.:              192.168.1.2 /24
> Server translated addr.:        195.100.3.3 /27
>
> To configure the firewall I follow the Firewall-1 Guide, so I create an
> object for the internal server with its real address and assign a Valid
> IP address to it by means of the "Add automatic Address Translation
> Rules" (option STATIC) (ADDRESS TRANSLATION menu).
> I am also defining a rule in order to let the right traffic pass through
> the firewall to reach the server:
>
> Source          Destination     Protocol        ACTION
> ANY             INTSERVER       SMTP            Accept
>
> Then, I add the following static route:
>
> route add 195.100.3.3 mask 255.255.255.255 192.168.1.2
>
> Finally, I add the following:
>
> ARP -s 195.100.3.3 <mac address> 195.100.3.2            (where mac address is the
> real MAC Address of my network adapter)
>
> Now, I expect that if the router connected to the firewall gets a packet
> with destination addr = 195.100.3.3, it will route it to the firewall
> and, obviously filtered to the internal host.
>
> The problem is that the traffic packets never reach the external
> interface of the firewall because the router cannot associate the
> translated address to the firewall. After trying a lot of different
> configurations, I found that the only way to made it work correctly is
> to add a static route on the router to make it point to the firewall:
>
> IP ROUTE 195.100.3.3 255.255.255.255 195.100.3.2
>
> (This option works also without adding any ARP entry on the NT machine)
>
> Firewalls GURUs is it a clean solution ? Any hints ?
>
> Thanks in advance
>
> --
> Riccardo Fontana
> Intesis SECURITY LAB            Phone: +39-2-671563.1
> Via Settembrini, 35             Fax: +39-2-66981953
> I-20124 Milano  ITALY           Email: rfontana () seclab com

-- 
Ng Lup Houh  ~{NiA":@~}    PGPkey @ http://www.ncs.com.sg/home/luphouh/
Info Tech Security Centre  81 Science Park Drive     luphouh () ncs com sg
National Computer Systems  #04-03/04 Chadwick Bldg    Tel: +65-870-5143
http://www.ncs.com.sg/     SINGAPORE 118257           Fax: +65-774-5812