[seizeadonai]

Again, I would like to start off in saying thank you for your time in replying.

RayPesek, to answer your question, it's one box. Standalone FW-1 I believe is along the lines of the terminology that checkpoint uses. The enforcement module, management module, licensing module, all one box. Unfortunately management will not allow me to break up modules across boxes, we just don't have the hardware budget for it; besides NG FP3 has been configured the same way and has worked since it came out. I have pushed multiple policies and still no change. I agree with your comments surrounding upgrading the OS, right now my task is to upgrade the FW software first, I can then upgrade the OS once it's up and running on 2k. I have been building a case to upgrade all our 2k server infrastructure, it's just a slow process with management. As far as the local.arp, I know for a fact it sees the manual proxy arp entries, it's just a matter of having the local.arp file in the correct place, the \conf dir.

chillyjim, I would prefer having a nokia IP 330 that would do the job nicely. I am very comfortable in linux, but I'm the only one around here. If I "disappear" they'd be stuck between a rock and a hard place, I don't want to leave them high and dry, not my style. As far as what your suggesting I do, I can try it. What lead me to believe it's specific to the firewall is that if I remove the auto NAT, the server get's out just fine. I understand that it still could be an upstream ARP cache issue, because when I do that, the server's that have issues can now access the internet, via the hide behind the intereface on the firewall. What doesn't make sense to me is when I swapped the cable for the external interface on the firewall from the old firewall to the new, the tunnel's and connectivity comes right up. If it was a cache issue on the PE, then wouldn't external communication fail until the upstream cleared their ARP entries?