Convert Nokia proxy ARPs to SPLAT?

[RayPesek]

I'm replacing an old Nokia box with a new SPLAT NGX R61 box. I've got everything figured out except how to replace the proxy ARP entries on the Nokia. This company uses a lot of manual NAT rules.

I did find some articles about editing sysctl.conf and adding manual routes into rc.local, but it cannot be this primitive, can it?

Or is it as simple as just binding secondary IP addresses to the external interface?

Any hints will be greatly appreciated.

Thanks,

Ray

[chillyjim]

I came across this

To enable proxy ARP on SecurePlatform, perform the following:

1. Edit /etc/sysctl.conf with a text editor (such as vi).

2. Add the following:
net.ipv4.conf.all.proxy_arp = 1
net.ipv4.conf.default.proxy_arp = 1

3. Save change and exit.

4. Reboot the Security Gateway.

[RayPesek]

Thanks, Jim. This is what I found: http://postnuke.systura.com/modules....article&sid=37
which shows you need to add the routes in rc.local as well.

So this really is the only way to do it when you're using manual NAT rules on SPLAT?

If so, I'm stunned, especially since its not even mentioned in the SPLAT User Guide.

Take care,

Ray

[dsb.nepo]

There is also another way to configure proxy arp at splat, that works great with NGX R60-65 (confirmed)

With this methode you have to add a route manual to.

Quote:

1. Edit /etc/sysctl.conf with a text editor (such as vi).

2. Add the following:
net.ipv4.conf.all.proxy_arp = 1
net.ipv4.conf.default.proxy_arp = 1

Since R60 i use the following for manual arp (no additional routing is needet).

Quote:

create a file called local.arp in the firewall's configuration directory ($FWDIR/conf).
Each entry in this file is a triplet, containing the:
• host address to be published
• MAC address that needs to be associated with the IP address
• unique IP of the interface that responds to the ARP request.

The exact places in the documents (R65) where this methode is decribed.

CheckPoint_R65_Firewall_SmartDefense_AdminGuide.pd f Page 154:

Quote:

Note - If using Manual NAT, automatic arp does not work for the NATed addresses.
On Linux and SecurePlatform use local.arp. On IPSO set up Proxy ARP.

CheckPoint_R65_ClusterXL_AdminGuide.pdf Page 188:

Quote:

Manual Proxy ARP
When using static NAT, the cluster can be configured to automatically recognize the
hosts hidden behind it, and issue ARP replies with the cluster MAC address, on
their behalf. This process is known as Automatic Proxy ARP.
However, if you use different subnets for the cluster IP addresses, this mechanism
will not work, and you must configure the proxy ARP manually. To do so, in
SmartDashboard, select Policy menu > Global Properties > NAT Network Address
Translation, and disable Automatic ARP Configuration. Then create a file called
local.arp in the firewall's configuration directory ($FWDIR/conf).
Each entry in this file is a triplet, containing the:
• host address to be published
• MAC address that needs to be associated with the IP address
• unique IP of the interface that responds to the ARP request.

@chillyjim
maybee you can make a sticky note about this methode with some example.

cheers
dsb.nepo