Re: FW1 nat/arp problems

[cbrenton <cbrenton () sover net>]

On Wed, 10 Feb 1999, Dennis Edmonds wrote:

> I have went through this particular FW1 setup several times myself, and had a
> CheckPoint support technician go over the setup as well.  I am positive (as
> much as anyone can be anyway) that the rules, local.arp (yes it is a WinNT box,)

local.arp in a word, sucks. It's not Checkpoint's fault. They are doing
their best to work around the deficiencies of the base OS (ARP _is_ a
layer two thing after all).

With that said, try doing a:
fw tab

This will dump a bunch of hex info, a portion of which should be all your
local.arp entries. If they are not there, FW-1 does not know enough to
respond to the ARP request.

You can check out:
http://www.geek-speak.net

for some help with dealing with ARP issues.

> The only unique thing about this network is that the public and private
> networks are divided by using VLANS on a Bay Networks switch.

This should not effect the above config as you are responding with a valid
MAC address which is seen by the switch. MY only caution here however is
that you could be leaving your network open to attack. Switch vendors are
still coming up to speed on security related issues and many are still
vulnerable to a number of DoS attacks. I've also seen one person use
fragmented UDP traffic (no I will not tell you how, use your imagination
;) to trick the switch into thinking traffic was originating from another
VLAN thus allowing the attacker to generate a console session.

If an attacker can get to your switch, your firewall is completely
useless.

Good luck,
Chris
-- 
**************************************
cbrenton () sover net

* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet