https://community.checkpoint.com/t5/Firewall-and-Security-Management/Manual-DNAT-rule-is-not-working/m-p/239010#M46375 <P>Can the client learn the arp, any drop logs?</P> <P>If this is VMware is it configured per&nbsp;<SPAN>sk101214.</SPAN></P> Sun, 19 Jan 2025 06:20:59 GMT Chris_Atkinson 2025-01-19T06:20:59Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Manual-DNAT-rule-is-not-working/m-p/238999#M46370 <P>Hi Checkmates,</P><P>I have a standalone box on VM, I'm trying to create a DNAT rule for servers that are directly connected to CP box.</P><P>#################</P><P>Firewall interfaces :</P><P>10.10.10.101 -eth0</P><P>20.20.20.101- eth2</P><P>#################</P><P>I have servers behind each of these interfaces, I'm trying to create a DNAT for the web server manually, Below are the steps that I followed.</P><P>1&gt;Created a DNAT rule.</P><P>2&gt;Created a proxy ARP entry in WebUI.</P><P>3&gt;Enabled manual proxy in global config.</P><P>4&gt;Installed policy.</P><P>Web server 10.10.10.10</P><P>Client - 20.20.20.10</P><P>##############</P><P>Below is the proxy arp o/p from cli</P><P>[Expert@CheckPoint_SA:0]# fw ctl arp<BR /><STRONG>(20.20.20.105) at 00-0c-29-12-90-66</STRONG><BR />[Expert@CheckPoint_SA:0]# ifconfig eth2<BR />eth2 Link encap:Ethernet HWaddr <STRONG>00:0C:29:12:90:66</STRONG><BR />inet addr:20.20.20.101 Bcast:20.20.20.255 Mask:255.255.255.0<BR />UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<BR />RX packets:2854 errors:0 dropped:0 overruns:0 frame:0<BR />TX packets:180 errors:0 dropped:0 overruns:0 carrier:0<BR />collisions:0 txqueuelen:1000<BR />RX bytes:265199 (258.9 KiB) TX bytes:10990 (10.7 KiB)</P><P>==========</P><P>I have attached screenshots for the NAT rule and the access rule .</P><P>Can someone please help me figure out what's happening here!</P><P>=========</P><P>WR,</P><P>FH</P> Sat, 18 Jan 2025 18:30:46 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Manual-DNAT-rule-is-not-working/m-p/238999#M46370 Firewall_Head 2025-01-18T18:30:46Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Manual-DNAT-rule-is-not-working/m-p/239004#M46372 <P>Is Linux_2 the client and Linux_1 the server?</P> Sun, 19 Jan 2025 00:50:34 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Manual-DNAT-rule-is-not-working/m-p/239004#M46372 Chris_Atkinson 2025-01-19T00:50:34Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Manual-DNAT-rule-is-not-working/m-p/239009#M46374 <P>Yes&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/3630">@Chris_Atkinson</a>&nbsp;.</P><P>&nbsp;</P> Sun, 19 Jan 2025 04:44:22 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Manual-DNAT-rule-is-not-working/m-p/239009#M46374 Firewall_Head 2025-01-19T04:44:22Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Manual-DNAT-rule-is-not-working/m-p/239010#M46375 <P>Can the client learn the arp, any drop logs?</P> <P>If this is VMware is it configured per&nbsp;<SPAN>sk101214.</SPAN></P> Sun, 19 Jan 2025 06:20:59 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Manual-DNAT-rule-is-not-working/m-p/239010#M46375 Chris_Atkinson 2025-01-19T06:20:59Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Manual-DNAT-rule-is-not-working/m-p/239012#M46376 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/3630">@Chris_Atkinson</a>&nbsp;,</P><P>If you take a look at my proxy ARP output, the MAC of eth2 and the NAT IP are the same. Is this expected ?</P><P>Also I'm seeing drops for the traffic initiated to the NAT IP , it is matched by cleanup rule. I'm a little confused here, I have used the real IP in access control policy , can it be the reason.</P><P>=====</P><P>WR,</P><P>FH</P> Sun, 19 Jan 2025 05:44:25 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Manual-DNAT-rule-is-not-working/m-p/239012#M46376 Firewall_Head 2025-01-19T05:44:25Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Manual-DNAT-rule-is-not-working/m-p/239013#M46377 <P>The proxy-arp mac should match the interface mac from the same subnet.</P> <P>Yes the traffic must be accepted by the access policy (NAT IP).</P> <P>If you used NAT on the object itself elements of the policy may appear different by comparison.</P> Sun, 19 Jan 2025 06:38:26 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Manual-DNAT-rule-is-not-working/m-p/239013#M46377 Chris_Atkinson 2025-01-19T06:38:26Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Manual-DNAT-rule-is-not-working/m-p/239014#M46378 <P>Thanks&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/3630">@Chris_Atkinson</a>&nbsp;, it's working now.</P><P>Have a great day!</P><P>=======</P><P>WR</P><P>FH</P> Sun, 19 Jan 2025 06:40:50 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Manual-DNAT-rule-is-not-working/m-p/239014#M46378 Firewall_Head 2025-01-19T06:40:50Z