Could someone explain/help. NAT query for VRRP setup.

[Wasted_Potential]

Hi there,

If someone could explain this for me I'd be much obliged.

The setup is two Nokia platforms running NG R55 (IPSO3.8) in failover mode (VRRP)

If setting up an external NAT address on the outside interface am I correct in saying that all I need to do is add a proxy-arp entry for the new IP address on each Nokia platform then add the relevant static translation and security policy rule in Checkpoint?

The outside interface already has a VRRP address, as does the inside.

The part I cannot get my head around this..

When the connection is incoming (from the internet) it will hit the router outside the firewall (L3 switch). The router will then (if my understanding is correct) send an arp request for the NAT IP address. Now, if both Nokia gateways have a proxy arp address in both of them will reply (yes?) and the router will take the first (yes?). So the traffic could go through the secondary firewall and then on return it will back through the primary as the VRRP inside address will the next hop for the router further down. Hopefully, I’m explainging this okay! 

Does this cause issues or does the firewall sync connection sort this?

Many thanks for anyone who can help.

WP

[cciesec2006]

"When the connection is incoming (from the internet) it will hit the router outside the firewall (L3 switch). The router will then (if my understanding is correct) send an arp request for the NAT IP address. Now, if both Nokia gateways have a proxy arp address in both of them will reply (yes?) and the router will take the first (yes?). So the traffic could go through the secondary firewall and then on return it will back through the primary as the VRRP inside address will the next hop for the router further down. Hopefully, I’m explainging this okay! "

Only the nokia that is acting as the "master" will reply to that ARP. The
secondary will do NOTHING. That's the nature of VRRP. that's why when
you use Proxy-arp, you use the VRRP mac address, NOT the physical
ip address of the firewall

In theory, you could have traffics directly route to the secondary firewall
and then it goes back out on the Primary firewall and it can work too.
It works because of the synchronization between the two firewalls. That
being said, it does NOT work well if the firewall is under heavy load.

[Testing-123]

Hello cciesec2006

Quote:

In theory, you could have traffics directly route to the secondary firewall
and then it goes back out on the Primary firewall and it can work too.
It works because of the synchronization between the two firewalls. That
being said, it does NOT work well if the firewall is under heavy load.

But the Primary firewall will NOT have seen the initial connection (not in state table) therefore it will drop the connection? What you're implying is that state sync works both ways, i.e secondary also syncs its state table to Primary - is this right?

Regards
Testing-123

[Wasted_Potential]

This is the first time I've set up a NAT on a Nokia appliance, so do I have to create two physical addresses on the Nokia and then also a VRRP address and use that as the destination (NAT) IP address and then create proxy arps on the Nokia for the VRRP address associating it with the VMAC?

Does that mean that for every NAT address on my outside interface I need three useable addresses?

Apologies for my lack of knowledge, I've been dropped with a few Nokia/Checkpoint firewalls and I don't have much experience on them but I'm reading up on them now. If anyone has any decent IPSO guides could you PM me?

W_P

[mcnallym]

No, when configuring VRRP on a Nokia you need,

1 physical IP address per Node, total of 2, 1 for each box. This is configured on the box itself. This is used to manage the individual boxes.
1 virtual VRRP address that is shared and is used for routing etc.

This uses a total of 3 addresses per interface.

For your proxy arp's ie for SMTP Mail Server NAT then you just define a single IP address and configure so that the Nokia will proxy arp with the VRRP MAC Address. This should not be your VRRP address but a unique IP address in your public IP range.

By using the VRRP MAC then only the master unit will respond to traffic to that MAC address. Also if you have a failover then the same MAC address is used if the secondary box becomes active.

[Wasted_Potential]

mcnallym,

Thank-you very much.. that is exactly what I wanted to know! :-)

WP