topic Re: Proxy ARP on R80.20 in Firewall and Security Management

Proxy ARP on R80.20

Johan_Rudberg — Thu, 10 Oct 2019 10:05:07 GMT

Hello

We have for sometime now been trying getting our Checkpoint Firewall to 1 to 1 NAT our VOIP phones.

What we just found out was that if we configure a 1 to 1 NAT rule like a /23 subnet to /23 subnet the firewall does not Proxy ARP the NAT subnet in case.

A NAT rule with a /32 to /32 mask on it them will not work either.

However if we configure a 1 to 1 NAT rule wtih host objects like 1 host to 1 other host, the Proxy ARP works just fine.

This SK: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk114395&partition=Advanced&product=Security seems not aplicable on R80.20 since the variable of: $CP_AUTO_ARP_FOR_MANUAL_NAT_RULES

is already "1"

Is this a bug or what?

//Johan

Re: Proxy ARP on R80.20

Maarten_Sjouw — Thu, 10 Oct 2019 10:25:18 GMT

I would not use proxy ARP for a /23 at all, make sure that there is routing in place and don't make your gateway part of the /23 network.
Proxy ARP should only be needed and used when you have a smaller number of IP's that are on the external side of your gateway and you still want to use those addresses to forward traffic to some DMZ servers.

Re: Proxy ARP on R80.20

Johan_Rudberg — Thu, 10 Oct 2019 10:36:54 GMT

Then how would it work when it is described here in this guide: CP_R80.20_VoIP_AdminGuide.pdf if Proxy ARP in larger networks, is not possible in a Checkpiont Firewall?

/Johan

Re: Proxy ARP on R80.20

Wolfgang — Thu, 10 Oct 2019 11:30:54 GMT

Johan,

as Maarten_Sjouw mentioned. You don't need an interface on your gateway for these type of NAT.

You have to configure your (or your providers) upstream routers to route the external /23 subnet to your gateway.

And your NAT rule is simple with the internal /23 as original source and external /23 subnet as translated source.

If the packets routed through your gateway, there can be done NAT with these packets.

Wolfgang