how to add proxy-arp entires for manual nat

[sebastan_bach]

hi all can somebody pls tell me the syntax for adding a proxy arp entry in the firewall for manual static nat configurations.

regards

sebastan

[eduardw]

Hi Sebastan, before we can do that we have to know which OS your running. (splat, solaris, windows, ipso)

Eduard

[sebastan_bach]

hi mate thanks for ur reply. i am running splat.

can u pls help me out.

regards

sebastan

[eduardw]

I think this link could help you
Re: [FW-1] R: [FW-1] Routing....


SecurePlatform and NAT
In SecurePlatform, you need to do the following changes to your system. First, you need to add the following entries to /etc/sysctl.conf:

net.ipv4.conf.all.proxy_arp = 1
net.ipv4.conf.default.proxy_arp = 1
Second, to /etc/rc.local, you need to add a routing entry and a proxy ARP entry for each address you want. For example, if your external address for your mail server is 1.2.3.4 and your internal address is 192.168.3.4, then you need to add the following entries to /etc/rc.local:

route add -host 1.2.3.4 gw 192.168.3.4
arp -s 1.2.3.4 00:c0:aa:bb:cc:dd pub
Note, "00:c0:aa:bb:cc:dd" needs to be replaced with the MAC address of the external interface of your firewall


when u use the command "sysctl -w" then you don't have to reboot after setting the correct values
Regards

Eduard

[sebastan_bach]

hi mate in my scenario the internal host resides in the same subnet as the internal interface of the firewall and the outside host who is trying to access it resides on the same subnet of the external interface.

my internal interface of firewall is 10.1.1.100 and internal host is 10.1.1.254
my external interface of firewall is 1.1.1.1 and outside host is 1.1.1.2.
static nat address of inside host is 60.1.1.1

on the outside host my default gateway is the external interface of the firewall.so when the outside host does a AND operation it finds out the destination is in a different subnet so naturally it will send it to it;s default gateway which is the external interface of the firewall.

so why do we need a static proxy arp entry in the first place i am just not getting the point of configuring it.

can u pls tell why.

waiting for ur reply.

regards

sebastan

[coldark]

for an upstream router to be able to deliver traffic which has a Destination address of "NAT_IP" to the required location (your CheckPoint firewall) you must have one of two conditions configured. Either:

1) A route on the upstream router - which Routes NAT packets to the FW or
2) A proxy arp configured on the firewall - which makes the firewall respond to arp requests from the router.

Lets say that you have not got a route on the router, which will forward the packet, then the following happens:

a) The Router looks in it's own arp cache to see where it should send the Packet Addressed to NAT_IP.
b) If the arp cache doesnt have the information, the router puts out an arp request - asking "who has NAT_IP address - tell me"
c) we need your firewall to respond to this arp request - so we configue your firewall to do that by configuring a "Proxy Arp"
d) if the proxy arp is configured correctly - when the Router Arps, your firewall should respond saying "Me - send it to me - on this MAC ADDRESS (of your ext NIC)"

[lammbo]

IMHO - Proxy ARP is way too hard in SPLAT, the complexities of the entries are ridiculous. CP needs to add a Proxy ARP to the SPLAT GUI (Like in IPSO Voyager).

Everyone put in an RFE and maybe we'll get it.

[chillyjim]

There is an excelent thread here How to view the automatic proxy arps NGX
about manual vs automatic NAT. Everyone should read this before setting up a manual NAT that will require a proxy arp.

[sebastan_bach]

hi coldark.thanks for ur reply mate. but mate if u see my config my outside device has a route for the static nat address pointing to the external interface of the firewall. do i still needs the proxy arp in there.

can u pls help in how to add the proxy arp in splat.

is it just a manual arp entry .like arp -s 60.1.1.1 (mac of ext nterface)

am i right pls correct if i am wrong. i am not able to get it work. i almost spend a entire day in it.

waiting for ur reply.

regards

sebastan

[sebastan_bach]

hi am i am having NGXR65 and i have configured manual static nat .

i have a policy permitting telnet traffic from any to the static nat address.

in my global properties i have enabled manual nat rules
translate destination on client side.

my internal host is 10.1.1.254 and my static nat address is 60.1.1.1.
my external host is 1.1.1.2.firewall internal interface is in the same subnet of the internal host and the external host is in the same subnet of the external interface of the firewall.

on firewall i have a default route pointing to the external host.

here;s are my nat rules.

rule 1

in the original packet
source inside-host(10.1.1.254) destination any service any

in the translated packet
source static-host(60.1.1.1) destination any service any

rule2

in the translated packet
destination statichost(60.1.1.1) source any service any

in the original packet
destination insidehost(10.1.1.254) source any service any

i guess i am missing out on the proxy arp entires in the firewall.

can someone pls point me out in the right direction for this. and also tell me how to add proxy arp entries in the firewall.

waiting for some reply. i am stuck with this for quite some time.

i got the same thing achieved with auto-nat but not able to get it working with manual nat.

regards

sebastan