problem with manual static nat

[sebastan_bach]

hi am i am having NGXR65 and i have configured manual static nat .

i have a policy permitting telnet traffic from any to the static nat address.

in my global properties i have enabled manual nat rules
translate destination on client side.

my internal host is 10.1.1.254 and my static nat address is 60.1.1.1.
my external host is 1.1.1.2.firewall internal interface is in the same subnet of the internal host and the external host is in the same subnet of the external interface of the firewall.

on firewall i have a default route pointing to the external host.

here;s are my nat rules.

rule 1

in the original packet
source inside-host(10.1.1.254) destination any service any

in the translated packet
source static-host(60.1.1.1) destination any service any

rule2

in the translated packet
destination statichost(60.1.1.1) source any service any

in the original packet
destination insidehost(10.1.1.254) source any service any

i guess i am missing out on the proxy arp entires in the firewall.

can someone pls point me out in the right direction for this. and also tell me how to add proxy arp entries in the firewall.

waiting for some reply. i am stuck with this for quite some time.

i got the same thing achieved with auto-nat but not able to get it working with manual nat.

regards

sebastan

[abusharif]

if its nokia platform, you add them via voyager, ARP menu

if its splat you can add them via regular linux command

arp -s 1.1.1.1 xx:xx:xx:xx pub

where xx:xx:xx:xx is the mac address of your external interface and 1.1.1.1 is the public IP you want to use for NAT

or

arp -s 1.1.1.1 eth0 pub

where eth0 is example of name of the external interface

[sebastan_bach]

hi abu thanks a lot for ur reply. u mean to say everytime i have a manual static nat i will have to add a manual arp entry in the firewall.

in my scenario if u see that the static nat address is not in the same subnet of the external interface of the firewall. so when the outside device does a AND operation for reaching 60.1.1.1 which is the static nat of the internal host. the deivce knows that 60.1.1.1 is in different network so will do a arp for the external interface of the gateway itself right. cause on the outside device i have a route for 60.1.1.1 pointing to the external interface of the firewall.

so can u pls tell me why do we need the arp entry on the firewall cause the packet will be send to the firewall by the external device.

is the requirement of the firewall to accept a packet for a static nat address it needs a manual arp entry.

but then i find it ridiculous cause if i have 100 manual static nat entries i will have to add 100 manual aro entries as well on the firewall.

cause in cisco asa when firewall automatically accepts frames and does proxy-arp for static nat addresses .

waiting for ur reply mate.

thanks once again.

regards

sebastan