topic Re: Allow ping for proxy arp ip address in Firewall and Security Management

Allow ping for proxy arp ip address

Ugur_Urel — Wed, 07 Sep 2022 10:11:56 GMT

Hi all,

Our firewall has several public ip addresses on external interface using proxy arp. Lets assume these public addresses are from 192.168.1.0 network.

Following ip addresses are assigned to interfaces directly;

192.168.1.1 (node1)
192.168.1.2 (node2)
192.168.1.3 (cluster ip)

192.168.1.4 and 192.168.1.5 assigned using proxy arp.

I would like to allow ping the ip address 192.168.1.4 from internet. I have defined a rule for 192.168.1.4 with icmp echo-request, I can see in the logs that traffic accepted but I can not ping from internet. Also if I add 192.168.1.3(cluster ip) to this rule, I can ping 192.168.1.3 from internet.

How can I allow this traffic? By the way "Merge manual proxy arp configuration" option in the global properties is checked.

Re: Allow ping for proxy arp ip address

Chris_Atkinson — Wed, 07 Sep 2022 10:23:54 GMT

You've not mentioned the NAT configuration, presumably there is an alive machine behind the proxy-arp address?

Re: Allow ping for proxy arp ip address

Ugur_Urel — Wed, 07 Sep 2022 10:32:29 GMT

Hi,

No, 192.168.1.4 is a host object on firewall and it is used in several nat rules for port forwarding.

Re: Allow ping for proxy arp ip address

the_rock — Wed, 07 Sep 2022 13:38:40 GMT

Can you send screenshot of what nat rule looks like?

Re: Allow ping for proxy arp ip address

Chris_Atkinson — Wed, 07 Sep 2022 23:23:23 GMT

Is the ICMP service covered in the scope of your NAT rules?

Re: Allow ping for proxy arp ip address

RS_Daniel — Wed, 07 Sep 2022 16:27:12 GMT

Hello,

To get ping working you must have an alive machine behind the IP 192.168.1.4 as Chris mentioned. You mentioned you have many manual NATs for this IP, so you must also create a Manual NAT for icmp also, the problem is that icmp services can not be used on a NAT rule, you must use option "Any" to NAT icmp traffic, it should not be a problem, just place this NAT rule with option ANY after all your current manual NAT rules with specific objects. The translated dest could be the internal IP address of the cluster in order to make the firewall answer the icmp requests, or any other internal IP address you want.

Regards

Re: Allow ping for proxy arp ip address

Ugur_Urel — Thu, 08 Sep 2022 07:22:31 GMT

Hello RS_Daniel,

Thank you very much for your detailed explanation. As you have mentioned, I tried to use icmp rule in the nat rule but couldn't install because of verification problem so I thought we can not nat icmp traffic. I tried your method and it is working now.

Thanks a lot to everyone for their help.

Have a great day!