[rafamiga]

I have a DMZ server available to the world with a help of an static NAT entry in the server's node properities. It works great.

One of the enforcement modules' interfaces is attached to a private, "foreign" network not covered by CheckPoint. Say it's 172.16.2.0/24 network. .1 is the network's gateway, .2 is the enforcement module interface. Routing is set up correctly.

I need the DMZ server to present a static IP address to this network, say 172.16.2.33. So I create the manual NAT rule:

net-172-16 server-2-33 any / original server-DMZ any.

I install the policy and no cigar -- I can't even ping (ICMP is on).

Now, the enforcement module does not provide any ARP to support this NAT rule. Why? How should I create a manual, PERSISTENT (proxy) ARP entry on SecurePlatform R55?

In a nutshell: can a host have more than one static NAT entries that do not need any ARP manupulation?

fw ver: Check Point VPN-1(TM) & FireWall-1(R) NG with Application Intelligence (R55) HFA_17, Hotfix 670 - Build 005