Static Nat Manual

wiz4rd · #1 (**permalink**) 2006-07-03

Hello Guys,

I'm in trouble with static nat manual on Checkpoint NGX R60.

I should nat a client (10.x.x.x) with public address (212.x.x.x)

I have created two rules of manual nat 10.x.x.x (source) destination 213.x.x.x | 212.x.x.x (source nat) 213.x.x.x (original ip)

and just below i have added 213.x.x.x (source) 212.x.x.x (destination ) | 213.x.x.x (original) 10.x.x.x (nat destination)

When i see log tracker i can see that nat works, but seem that return of packets has problems.

Under global proprieties i have checked "merge manual nat" but i have the same problem. Maybe that depends from local.arp ? Is it still necessary from Checkpoint 4.1 ? If yes how can do to configure local.arp ?

Thank you in advanced

gfont96 · #2 (**permalink**) 2006-07-03

Hello,

I have same issue in win2k. On splat I think you need to add manual arp entry on module.

I think it goes something like

'arp -s <NAT PUBLIC IP> <MAC Address of external interface>.'

Good luck

George

wiz4rd · #3 (**permalink**) 2006-07-03

Thanks,

I have already done but doesn't works.

I have even enable to 1 the /proc/sys/net/ipv4/conf/proxy_arp but the problem is the same..

Thank you

GL

wiz4rd · #4 (**permalink**) 2006-07-04

Resolved :D!,

You must enable the multicast mac-address (the same of clusterxl) for the ip address natted on router .
after that arp -s <ip natted><multicast-ip-of-clusterxl> on checkpoint ngx

All works now fiuu :P

Thank you

vijayant · #5 (**permalink**) 2006-07-08

Hi WIZ

I have used the NATed public address as the secondary IP on the external interface, it works. In my case the nated public IP and the external interface IP both belong to the same subnet.

Can you please explain more abt what u did.. How to know the multicast mac address of an interface ? I am using normal workstation with windows 2000 server for Firewall as well as Smartcenter server.

vijayant

wiz4rd · #6 (**permalink**) 2006-07-08

Quote:

Originally Posted by vijayant

I have used the NATed public address as the secondary IP on the external interface, it works. In my case the nated public IP and the external interface IP both belong to the same subnet.

vijayant

I have used multicast address beacuse I had a cluster of checkpoint (01-00-5e..multicast address).
I think that you have added an alias on your interface for the nat but it isn't the right way for the nat.
You should explain better your situation..cluster,version of checkpoint etc etc..

hahasasa · #7 (**permalink**) 2006-07-12

command: arp -s [IP] [MAC] pub

should work

In Nokia,it works well.

But this command never works in SecuPlatform(R55)&my linux(AS4.2)

I tried to dump the arp req&reply,and found it never answer...

Puzzling........

So, i have to use a secoundary ip for arp pub

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode