CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 5 of 5

Thread: Is it possible to do a Proxy ARP on a whole network?

  1. #1
    Join Date
    2017-12-07
    Posts
    6
    Rep Power
    0

    Default Is it possible to do a Proxy ARP on a whole network?

    Ive created a manual NAT rule for translating a 10.31.0.0/24 network to a 192.168.55.0/24 network, Theres some 100 devices on the 192.168 network that I need to access via a FW interface that is in the 10.31 network. How I avoid having to manually add 100 proxy ARP antries via GAIA WEB GUI? I am looking for some whole subnet proxy ARP but I cant find nothing about this. Is it possible? (R77.30)

    Regards, Luis

  2. #2
    Join Date
    2008-07-31
    Location
    Netherlands, Europe
    Posts
    1,138
    Rep Power
    12

    Default Re: Is it possible to do a Proxy ARP on a whole network?

    Yes you will need to add all 100 Proxy ARP commands. Been there done that, not as many as this, but nonetheless.
    In clish you can use this command, taken that the incoming interface is eth3 and the IP there is 10.31.0.1:
    add arp proxy ipv4-address 10.31.0.10 interface eth3 real-ipv4-address 10.31.0.1
    add arp proxy ipv4-address 10.31.0.11 interface eth3 real-ipv4-address 10.31.0.1
    add arp proxy ipv4-address 10.31.0.12 interface eth3 real-ipv4-address 10.31.0.1
    and so on.
    Last edited by msjouw; 2018-05-26 at 03:34.
    Regards, Maarten.
    Triple MDS on R77.30, MDS on R80.10, VSX, GAIA.

  3. #3
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,623
    Rep Power
    9

    Default Re: Is it possible to do a Proxy ARP on a whole network?

    Quote Originally Posted by luisneves View Post
    Ive created a manual NAT rule for translating a 10.31.0.0/24 network to a 192.168.55.0/24 network, Theres some 100 devices on the 192.168 network that I need to access via a FW interface that is in the 10.31 network. How I avoid having to manually add 100 proxy ARP antries via GAIA WEB GUI? I am looking for some whole subnet proxy ARP but I cant find nothing about this. Is it possible? (R77.30)

    Regards, Luis
    for x in $(seq 10 100) ; do echo clish -c "add arp proxy ipv4-address 10.31.0.$x interface eth3 real-ipv4-address 10.31.0.1" ; done

    Make sure admin's shell is /bin/bash (log out and back in if you just changed it). remove the echo word if you're ready to pull the trigger.

    Once you're ok with the results go back into clish and issue a save config.


    BTW i'm not sure why a hide nat won't work or why maybe a route vs a proxy arp option isn't there. Routing would be way cleaner.


    good luck!

  4. #4
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,214
    Rep Power
    13

    Default Re: Is it possible to do a Proxy ARP on a whole network?

    You only need to ensure firewall Proxy ARPs occur for NAT addresses you are "plucking" from a subnet directly attached to the firewall. Most typically the so-called "dirty" segment between the firewall and Internet perimeter router utilizes all (or at least a subset) of your Internet-routable address space, and this is the most likely place that plucking will occur. Plucked NAT addresses in this situation will need to be Proxy ARPed by the firewall, or a /32 route for each of the NAT addresses added on the perimeter router. Assuming the default NAT Global Properties settings, NATs defined using the Automatic method will have the firewall automatically Proxy ARP for all plucked addresses. This can be verified with the fw ctl arp command. If using Manually defined NATs on a R77.30 or earlier firewall, you will need to manually ensure that the firewall will Proxy ARP for any plucked NAT addresses, see "sk30197: Configuring Proxy ARP for Manual NAT".

    However if you are using an R80.10+ gateway, it is possible to have the firewall automatically Proxy ARP for manually-defined plucked NAT addresses as well. This new feature is not enabled by default, see "sk114395: Automatic creation of Proxy ARP for Manual NAT rules on Security Gateway R80.10" for more information.

    However as jflemingeds mentioned, Internet-routable subnets that are simply using the dirty segment as a transit to reach the firewall do NOT need Proxy ARPs added on the firewall, because the Internet perimeter router will already have a route to that network with the firewall as the next hop. The most common situation where this occurs is when an ISP grants you a second Internet-routable address block because you have used up all the addresses in the first Internet-routable block they gave you. A static route for this second Internet-routable subnet is added to the perimeter router with the firewall as the next hop, thus the second Internet-routable subnet uses the first Internet-routable subnet merely as a transit to reach the firewall. Proxy ARP is not needed for the second Internet-routable subnet (or any other subsequent Internet-routable subnets added) in this case.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  5. #5
    Join Date
    2017-12-07
    Posts
    6
    Rep Power
    0

    Default Re: Is it possible to do a Proxy ARP on a whole network?

    Well folks, really thank for all the answers!

    Best Regards, Luis

Similar Threads

  1. How to hide network object behind another network address pool
    By 007me in forum NAT (Network Address Translation)
    Replies: 7
    Last Post: 2011-04-18, 08:09
  2. Internal network and vpn domain network are the same ...
    By shmilyh in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 10
    Last Post: 2009-12-24, 02:02
  3. Systems Network Analyst III (Network Security Analyst)
    By canghel in forum Employment/Consulting Opportunities For Check Point Administrators
    Replies: 0
    Last Post: 2007-12-01, 18:10
  4. FW-1 Request to proxy other than next proxy
    By intehnet in forum Miscellaneous
    Replies: 0
    Last Post: 2005-12-13, 00:01
  5. Request to proxy other than next proxy resource http://proxy.foo.com
    By roadrunner in forum Content Security/Security Servers/CVP/UFP
    Replies: 0
    Last Post: 2005-08-14, 12:23

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •