NAT and ARP problem

[fizzkakz]

I have a router terminating a frame relay connection to the Internet sitting infront of a NGX R60 gateway. This router has some broad ACLs on it, including dropping IPSec traffic. I need to allow a particular set of users access to VPN out of the network. I have put these users into an object group and created the appropiate security rules.


I have then configured a hide NAT rule on the gateway for VPN User group. This translates the source to a new Internet routable IP address. I will then permit IPSec on the router ACLs for this new NAT'd IP only. If I remove the router's ACLs and NAT on my generic hide NAT rule for other Internet traffic I can go through the stages of IKE but not on this new IP address. But I appear to have an ARP problem on this new IP.

On the connected router:

Internet 203.x.x.x 0 Incomplete ARPA

What do I need to do to get the Checkpoint to respond to ARP requests for this IP?

[RayPesek]

What operating system is on the firewall? If Nokia, add a proxy ARP entry. if SPLAT, add an entry into local.arp

Ray

[fizzkakz]

Hi Ray, thanks for your reply.

I've made a static entry using 'arp -s' but the problem is still occuring. What have I done wrong?

edit: In answer to your question, I am running SPLAT.

[MarioL]

As Ray says, use local.arp

[Thorpuse]

If you're running SPLAT, use the addarp command in cpshell.

[dsb.nepo]

one of the problem with arp at linux is the arp entry is only published if there is a route to this arp entry.

I had several issues with normal arp entries (added with add_arp) so I prefer the methode with the local.arp file (no issues since NGX).

For Example say your ext. Network is 192.168.2.1/29
Firewall IP: .2, mac address 01:02:03:04:05:06 (unix/splat)
IP for nat: .3

Open a console at the firewall module and become expert
now type the following at the console
vi $FWDIR/conf/local.arp

Code:

192.168.2.3 01:02:03:04:05:06  # arp entry for host foobar

keep the console open

At the SmartDashboard create a object with the IP 192.168.2.3

check this settings (menu)
[Policy]
[GlobalProperies]
[Nat - Network ...]
[X] enable Merge manual proxy arp

create a nat rule with the object.
push the policy

now go back to the firewall module and type the following command

Code:

fw ctl arp

you will see the entry is created and published

[fizzkakz]

Thanks for all the information guys. I will implement what has been suggested and see how we go.


Cheers!

[nazaraf]

Hi all,

How was your NAT doin?
I have the same problem the only difference is that
I have a clustered gateway, Which MAC address should
I input in my local.arp.?

InternalServer =A= ClusteredGateway =B= ExternalServer

I need to manually NAT Internal Server into the External Server's network.
My problem should be solved if I have a control over the External Server
by adding static route at the External Server going to CLusteredGateway VirtualIP but unfortunately I have no access.

Any suggestions please.....?

BTW I am using SPLATR62, ClusterXL LoadSharing-Unicast

Thanks in advance

[lammbo]

When on an active/passive cluster, you use the local MAC for each gateway. That way, each gateway, when active, will ARP it's own MAC to the IP.

If this is Active/Active, I have no idea.

[nazaraf]

Thanks lammbo...
Its active/active.
Any ideas guys?

[manrag]

In unicast you will have to put the MAC of each of the modules. In mulicast you wiil have to use the multicast MAC.

Regards

[nazaraf]

thanks manrag,
i tried adding using addarp <IP> <MAC>
but it doesnt work, splat wont propagate it.
i also tried using local.arp file + [x] merge manual ang proxy arp thru global properties but it doenst work. (fw ctl arp to verify arp)

any more ideas...????

[eduardw]

When possible use auto nat rules, this will solve a lot of the arp problems. Make sure the automatic arp is activated. See the nat option on the fw object and on the global properties.

[nazaraf]

Hi eduardw,

Cannot use automatic NAT with this server since it is already natted to a public ip and that the external server would only accept connection from specified ip within its subnet.

:-)