Checkpoint Cluster XL New mode NAT problem

- R
- ranger
  
  Contact options for registered users
posted
18 years ago

Wed, May 4, 2005 7:32 AM

Hi, we have 2 SunOS 5.9 Generic_117171-11 sun4u sparc SUNW,Ultra-250, configured in Cluster XL (New Mode) with CP NG AI HFA_09, Hotfix 182. We use manual NAT, we have configured static arp (and routes) on both cluster members. It works well untill the cluster switches; we have seen gratuitous arp on ly for all cluster's interfaces. We don't see gratuitous arp for the IP we have static natted, arp caches of hosts on outside interfaces are not updated, and th e the natted host stops working.

(with legacy mode we have no problems, but want to use New Mode)

Waiting for hearing from somebody.

- R
- ranger
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Thu, May 5, 2005 6:46 AM

We use manual NAT because we need special translations that cannot be done with automatic configuration.

Wayne McGlinn ha scritto:

translated

FireWall-1

- W
- Wayne McGlinn
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Thu, May 5, 2005 4:07 PM

Why use Manual NAT? Try Automatic NAT and allow the Firewall to arp for you. From the online help in CP FW1 NG AI:

Automatic ARP configuration ensures that ARP requests for a translated (NATed) machine, network or address range are answered by the FireWall-1 Gateway.

This option removes the requirement (present in VPN-1/FireWall-1 prior to version NG) for manual ARP configuration (using the arp command in Unix or the local.arp file in NT).

The command fw ctl arp displays the ARP proxy table on VPN-1 Pro enforcement modules that run on Windows NT and Windows 2000. On Unix, use the arp -a command.