PDA

View Full Version : STATIC NAT stops working after a while



Jahk Nah Rai
2006-09-27, 10:09
I have a Checkpoint FW1 NG FP3 box on Windows 2000 Server.

For some strange reason everything seems to work except the Static NAT entries. It would work for a while and then stop hours later. Hide NAT works well. Checking the gateway router's ARP tables reveals Incomplete for every STATIC NAT IP.

Does anyone know why Checkpoint is doing this?

northlandboy
2006-09-27, 11:43
I take it you are using automatic proxy ARP? Don't. If you must use proxy ARP - and you shouldn't but sometimes can't avoid it - then manually configure the proxy ARP entries on your firewall. Don't rely on auto proxy ARP - it's too flaky.

I take it the hide nat entries are hiding behind the firewall's IP? - in which case it doesn't need to do proxy ARP.

Take a look at the various HFA release notes - I've seen a few things where they've fixed some stuff with auto proxy ARP. Sometimes it would do things like lose the entries if the interface flapped.

Check arp -a on the server, see what it's publishing. Configure all your proxy ARP entries manually, and things should work OK.

Oh and you should probably plan on moving away from FP3/Win2K, but you probably already know that....

Jahk Nah Rai
2006-09-27, 16:33
Ok so I will have to use arp -s and manually add each MAC address and IP to the Checkpoint's tables?
Understood what you mean, thanks. I will try that.

northlandboy
2006-09-27, 16:40
I don't work with Windows, so I don't know exactly how to add proxy ARP with it. I think with Check Point systems you can edit the local.arp file though?

It's not really about adding entries to Check Point's tables though - it's about getting the upstream router to forward those frames to your firewall, and one way of doing that is to get your OS to send out ARP replies to requests for those NAT IPs. The other (better) way is to have routes on the upstream router.