firewall-1 NG NAt/local.arp/arp question
From: news-west.newscene.com (lynxo78@nospamhere.hotmail.com)Date: 09/04/02
- Next message: : "Geteway Router"
- Previous message: Neil Appleby: "Closing Ports"
- Next in thread: Chris: "Re: firewall-1 NG NAt/local.arp/arp question"
- Reply: Chris: "Re: firewall-1 NG NAt/local.arp/arp question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "news-west.newscene.com" <lynxo78@nospamhere.hotmail.com> Date: 4 Sep 2002 03:34:35 -0500
Hi,
Im studying for my checkpoint firewall NG exam, I have setup a test
environment with 3 pcs, 1 pc each on a different subnet and one as the
router. This is the environment:
subnet 1 (simulated internet): 192.168.253.0/24
subnet 2: 10.1.1.0/24
pc1 (subnet 1) -
192.168.253.101/24
pc2 (subnet 2) -
10.1.1.2/24
router (running NT4 server sp6a with ip forwarding enabled)
subnet 1 address: 192.168.253.125/24
subnet 2 address: 10.1.1.1/24
I have installed NG with FP2. It seems to be working fine and I have managed
to get NAT working but im not sure I have done it correctly. I have been
reading some documentation about adding a static NAT public to private
address rule. It mentions that you need to add an object with a routable
address. In this case, as a test I want to use 192.168.253.126.
My policy rules allow everything. My NAT rules read like this, only relevant
info shown..
1. (source) 10.1.1.2 ( dest) any (service) any / (source) 192.168.253.126
(dest) original (service) any
2. (source) any (dest) 192.168.253.126 (service) any / (source) any (dest)
10.1.1.2 (service) any
Now this should allow traffic out from 10.1.1.2 to 192.168.253.x at least...
it doesn't. I'm assuming that this is because 192.168.253.126 is not really
bound to anything, so the packet doesn't know where to go??
To get it working I edited the object 192.168.253.126 and changed it to be
automatic static NAT with an address of 192.168.253.126. This added a rule
above the existing one. Outgoing traffic now works. Is what I have done
correct?
To get inbound services working I created a local.arp file (which wasn't
there) in the conf directory. Restarted NG, works fine. I was curious as to
why you can't use the NT arp command to add a static entry (at least thats
what the docs say). I added a static entry and deleted local.arp and
restarted etc.. it still works?? I cleared out arp caches first etc.. Why do
they say you can't do this?
Thanks for any help or advice.
James
- Next message: : "Geteway Router"
- Previous message: Neil Appleby: "Closing Ports"
- Next in thread: Chris: "Re: firewall-1 NG NAt/local.arp/arp question"
- Reply: Chris: "Re: firewall-1 NG NAt/local.arp/arp question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
