One server, two addresses

[rafamiga]

I have a DMZ server available to the world with a help of an static NAT entry in the server's node properities. It works great.

One of the enforcement modules' interfaces is attached to a private, "foreign" network not covered by CheckPoint. Say it's 172.16.2.0/24 network. .1 is the network's gateway, .2 is the enforcement module interface. Routing is set up correctly.

I need the DMZ server to present a static IP address to this network, say 172.16.2.33. So I create the manual NAT rule:

net-172-16 server-2-33 any / original server-DMZ any.

I install the policy and no cigar -- I can't even ping (ICMP is on).

Now, the enforcement module does not provide any ARP to support this NAT rule. Why? How should I create a manual, PERSISTENT (proxy) ARP entry on SecurePlatform R55?

In a nutshell: can a host have more than one static NAT entries that do not need any ARP manupulation?

fw ver: Check Point VPN-1(TM) & FireWall-1(R) NG with Application Intelligence (R55) HFA_17, Hotfix 670 - Build 005

[dbedit]

Proxy arp is not supported in linux kernel 2.X.
You have to add it manually.
Proxy arp on interface and add a host route for the Static NAT IP address using the internal IP address of the host (or next hop) as the gateway.
Don't forget to add this to your startup script(rc.local) as it will not survive reboot.

[northlandboy]

Proxy ARP is a PITA. Avoid it if you can with better network design.

However, assuming you are using NAT on client side, which is the default these days, although you will need the ARP, you won't need a /32 route, like you used to have to do.

And I think auto proxy ARP only works for automatic nat rules.