Nat on w2k and Checkpoint FW-1 NG FP3 1

[robyone64]

Hello everibody,
ive a problem with static nat on a checkpoint ng fp3 based on w2k sp3.
1) nat hide work ok, but is not that i need
ok i start with an example
interface
fwipext Interfce of the firewall on internet
fwipint interface of firewall on lan
ipextnat one of the ip external of my subnet
ipintoriginal the internal ip corresponding to ipextnat
macfw mac addres of fwipext with ipconfig/all
ok, step 1 static route
route add -p ipextnat mask 255.255.255.255 ipintorig fwipint

after proxy arp
arp -s ipextnat macfw
policy on fw Gui ok
but it don't work......
HELP!!! Any suggest???

 

[Lou0686]

Hi Robyone64,

Add the private address to the Local.arp file located in a subdirectory under the FW1 directory.

Lou

 

[robyone64]

Hi Lou thank for the suggest....


Yes, but the strange thing is that the local.arp does'nt exist, i suppose that i must build it and place under the directory standard (the same of the other fw-1 $xxxx/xx).
syntax of local.arp
public ip1 macaddress of external
public ip2 macaddress of external
etc.
I'll try it !

 

[Lou0686]

Hi again,

It's weird that it does not exist. I have never run into this. Did you search the whole firewall directory structure? Off hand I don't remember where it is supposed to be, but I can check for you on Monday when I get back to work. Do you now the format if you need to create it?

Lou

 

[robyone64]

Hi Lou,
the file must be in the $FWDIR/conf directory, but it does not exist, i have search it in all the computer but.... nothing....
I know that is very strange!!!!
No i'm not shure to know the format of local.arp, i suppose is :
publicip tab arppublicmac
But you told me to use also the private ip.... to the pricate mac of 2nd card???
Another thing, i use also a little program called fwparp,
public ip arp, it reply me BAD IP ADDRESS...
Another strange thing!!!
thanck If you can write me the syntax of local.arp.
Bye

 

[Lou0686]

Hi,

I am pretty certain that the local.arp file's format is a follows:

<Public NIC MAC> tab <Private IP of device you are NATting>

for instance:

00AF12C23402 10.10.0.100
00AF12C23402 10.10.0.101

But since I am not 100% certain, I will verufy tomorrow. For now you can try it.

Lou

 

[SgtB]

The automatic ARP stuff, and translate destination on client side need to be checked under general NAT properties. This should make things work for you (NAT rules need to be specified of course). If that does not work you need to manually add the local.arp file to the $FWDIR/conf directory.
local.arp syntax:
<valid IP address> <MAC address of external interface>
Then add a route for the vaild IP address.
If that doesn't work, use fwparp.exe.
syntax is:
fwparp <vaild IP> <External IP Address of Fireall> (Not the MAC address)

Like I said though FW-1 can do all this automatically with Windows 2000. Try it that way first. You may need to restart the server after the policy is installed. ________________________________________
Check out

http://www.security-forums.com

 

[robyone64]

Hi, thank you i tried with automatic arp, but it doesn't work, with local.arp placed in fw1/conf, after restart it was automatically deleted!!!!!!!!!.
I've build a .bat file with the fwparp and all the address translations.
It work finally...
Now i try the vpn connection from the internal network to my Firewall, but the client did'nt work, i can see in the log the icmp (for example) not the incapsulate traffic!!!
Another mistery......
Is possible that the client installation did not work properly.
Does anyone know of troubleshooting on w98????