arp still needed for Static NAT ?

[karimi]

hello

i am new to this..so bear with me. I have Checknpoint NGX and the following diagram:

Internet/<public ISP> =====> <my fw> ====> <int 10.x.x.x/8>

I want to deliver mail (port 25/smtp) to an internal exchange server (say 10.5.5.50).

My ISP gave me 5 public IPs, like 64.10.10.1-5. So I can put 2 static NAT rules:

#1: src=Any dst=64.10.10.1 svc=smtp / =original dst=10.5.5.50 svc=smtp
#2:
src=10.5.5.50 dst=any svc=smtp / src=S(64.10.10.1) dst=original svc=smtp

Will that work, or do I have to use Proxy-ARP ? If I make a DMZ, do I have to give the DMZ mail server a public IP or a private IP ?

Thanks

~mark

[abusharif]

since you seem to do manual NAT then yes, you define proxy arp manualy. If you use automatic, meaning clicking nat on the object itself its handled automatic.

[northlandboy]

The short answer is it depends on your network setup.

You need to understand ARP, how it works, and when/why you would need proxy ARP.

You haven't mentioned what network exists between your firewall and the ISP - let's assume that it is 64.10.10.0/27 - i.e. the SAME network as the one your addresses publicly assigned by your ISP sit in. Now think about a packet routed from somewhere on the Internet to one of your public IPs - say 64.10.10.1. It will be routed across the Internet, using BGP, to the router connected upstream of your firewall. The router will then notice that 64.10.10.1 is a locally connected network, and send out an ARP request. If you've configured the firewall to proxy-ARP for that address, then the router will learn that, and forward the frames to the firewall. The firewall will receive the frame, process it, and realise it needs to NAT the address to 10.5.5.50. All good. If you didn't have any proxy ARP configured, then the router wouldn't be able to get a reply to its ARP request for 64.10.10.1, and would end up dropping the frame.

But what if the network between your ISP's router and your firewall is not 64.10.10.0/27? In that case, presumably (hopefully) the ISP will set up a static route on their router for those addresses, going via the external address of your firewall. Now when the router receives a packet for 64.10.10.1, it knows it is not local, and it has a static route for that network, so it will ARP for the external address of the firewall, and send the frames through with that destination MAC. The firewall will receive the frames, realise it needs to NAT the address, and will do so.

Does that make sense?

Related to your question about a DMZ, I would say that having (e.g.) your public mail server sitting on the same LAN as your internal network is a Very Bad Idea. Consider what happens if it gets compromised - the intruder then has complete access to your internal network.

A better option is to have a DMZ leg on the firewall, privately addressed - say 172.16.1.0/24, and then NAT rules in place. Firewall rules will allow anyone on the Internet to send mail to the mail server's public IP, and then the mail server's private IP will be allowed to send mail on to your internal network.

Let me know if that's not clear.