NAT IP Conflict another IP

gorhon · #1 (**permalink**) 2006-03-02

Hello, very good forum thanks for all.

I have a problem. Yesterday, my NAT IP (172.16.201.4) conflict another router ip (172.16.201.4). This is a new router. I change my router ip 172.16.201.5. But local host (192.168.8.100) no ping any site. No connect any site. I think, my firewall auto block this host ip. Because other ip's (example, 192.168.8.202) ping anywhere, connect anywhere. I change security policy any any everythink. But no connection only this ip.

4 hours after my local host (192.168.8.100) connect anywhere.

configuration

Checkpoint Firewall R55

NAT
192.168.8.100 ---> NAT IP 172.16.201.4

All local routing is ok. All external routing is ok.

Why auto block my firewall this local ip?

or what is wrong?

How remove this block?

kva.kva · #2 (**permalink**) 2006-03-02

Check Tracker information. And collect fw monitor, tcpdump information. All of this can help with determination the problem.
fw monitor, i think, 1'st. It'll show information from input and output interfaces. So you can determine that IP packets leave you CP or not and with which IP addresses.

gorhon · #3 (**permalink**) 2006-03-02

i check all logs, all dumps. But nothing about this problem. I think problem my FW1 SAM database? Can i use "fw sam -D" command for this problem?

Block only one local ip. Other local ip is work. I dont understand.....

:(((

kva.kva · #4 (**permalink**) 2006-03-02

Try to check SmartView Tracker -> Active for your connection first.

Lackie · #5 (**permalink**) 2006-03-02

If it's a static nat as it appears to be, you may need to put in a proxy arp on the firewall.

gorhon · #6 (**permalink**) 2006-03-03

okey. But now no problem. This problem only 4-5 hours. After ok.

My Question, Why? only one ip? Have this checkpoint a blacklist?

????

Thanks for all.

Lackie · #7 (**permalink**) 2006-03-05

CP doesn't have a blacklist.

If you are using automatic arp, then I would uncheck that and set up the proxy arp's manually. I don't fully trust the automatic arp as it seems to not work every once in a while. Using everything manually works all the time.

kva.kva · #8 (**permalink**) 2006-03-05

Really, I didn't have problems with automatic arp. :)

I think too, that source of this problem in arp.

chillyjim · #9 (**permalink**) 2006-03-06

Auto arp on automatic rules has worked for years even on windows.

The problem described is an ARP timeout. Somewhere there is a Cisco router (as they have a default arp timeout of 4-8 hours depending on the IOS version) that had the router's mac assigned to the ip address.

gorhon · #10 (**permalink**) 2006-03-14

thank you for all. This is a arp problem. I understand.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode