[mekach22]

We just upgraded our FP3 (distrubuted environment with 2 gateways) to NGX R60 SPLAT last Thursday and Static NAT is not working. I used the NGX upgrade_export/upgrade_import utility to perform the upgrade. All new hardware. There had to be something lost in translation when doing this upgrade from FP3 to NGX.

We have several services hosted by NAT and we cannot access any of them from the Internet (unless we utilize a work-around by adding static routes for those devices on the upstream router). This workaround is limited though, therefore, it is not a solution. All NAT’ing was working on the FP3 platform.

I have a case open with Checkpoint, but they have yet to figure out the issue. We have checked the proxy arp table "fw ctl arp" – and the static NAT entries are there. We have verified the new MAC addresses with the actual interfaces on the firewalls. We have tried disabling Auto NAT on the said devices and creating Manual NAT rules. No luck. We have added a local.arp file, no luck. Added persistent ARPS with arp -v -n -i eth0 -s xx.xx.xx.xx 00:00:00:00:00:00 pub. No luck.

If I try to ping one of the NAT’d IPs from outside and watch the traffic with a TCPDUMP on eth0 on the firewall, I get “arp who-has xx.xx.xx.xx (NAT) tell xx.xx.xx.xx (upstream router). The firewall is not taking ownership of the NAT.

NGX R60 has been out for some time and I cannot believe that Checkpoint does not have resolution on this. Our case just got pushed to an escalation engineer at Checkpoint, so we will see if we get this resolved.