[Date Prev][Date Next][Thread Prev][Thread Next][Thread Index]

Re: [fw1-gurus] Static NAT limitations

Thanks to all who replied. The concensus seems to be:

> ...you can safely ignore these messages.
> They are niether good nor bad. These messages just are. 

In that context it makes perfect sense. It just seems kludgy in that the
system assumes an automatic static NAT requires a proxy ARP, and will
atempt to provide it if that feature is enabled, regardless of whether
the actual topology requires it. 

It also strikes me as odd that in the two Checkpoint sk articles
(sk18463, and sk25949) sent to me by Nokia support regarding this
question, the recommended solution is to modify your configuration:

>>> Solution
>>> Correct the Static NAT IP given to the specified machine.
>>> FireWall-1 NG must have an interface on the same subnet as the
>>> Static NAT IP configured.


>>> Solution
>>> Add a virtual IP address in new range to firewall's external
>>> Virtual IP must be added at both the OS level and in the firewall 
>>> object's Topology page.

They never mention that the error is purely cosmetic.

Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA
fw1-gurus mailing list
[email protected]