topic Re: NAT Manuals and their relationship with Proxy ARP. in General Topics

NAT Manuals and their relationship with Proxy ARP.

Matlu — Sun, 18 Jun 2023 20:45:15 GMT

Hello, everybody.

Is it mandatory to always work with the "Proxy ARP" table from Gaia Portal or Gaia CLISH, for what is the NAT MANUALS, of a service publication?

I have seen documentation, in which they make reference that we must work with this table, when we need to make publications to the Internet.
Is it strictly obligatory, to work the table?

Is there a way to simply create your manual NAT rules and avoid touching the ARP proxy table?

Thanks for your comments.

Re: NAT Manuals and their relationship with Proxy ARP.

Chris_Atkinson — Sun, 18 Jun 2023 23:07:34 GMT

Depends on whether the NAT IPs are in the same subnet as your interface IP or if they are in a different subnet routed directly towards the firewall.

Re: NAT Manuals and their relationship with Proxy ARP.

Matlu — Mon, 19 Jun 2023 13:33:18 GMT

Hello,

I find it difficult to interpret your idea.

For example, my Real IP has the segment 10.7.53.x [An IP of this segment is configured in a Firewall leg].

The NAT IP that we have, is an IP that is "invented" that has nothing to do with the segments that are configured in the Firewall.

Then, when a publication to the Internet is required, it is "mandatory" to work with the "Proxy ARP"????

Greetings.

Re: NAT Manuals and their relationship with Proxy ARP.

Blason_R — Mon, 19 Jun 2023 13:50:32 GMT

As @Chris_Atkinson mentioned if your Natted IP and interface IP falls in a same subnet then you will have to use proxy arp.

Its simple and understand that if machine responds to other machine from same network it broadcast the ARP to make the discovery. Similaryl if natted IP and firewall interface are from same subnet then you need to add Proxy Arp

e.g.

Original Source IP : 1.2.3.4

Firewall interface IP: 5.6.7.8

natted IP : 5.6.7.9

Translated Destionation ip : 172.16.1.2

Then you will have to add Proxy arp for 5.6.7.9

Re: NAT Manuals and their relationship with Proxy ARP.

Matlu — Mon, 19 Jun 2023 16:07:45 GMT

Hello,

Just so I'm clear on the idea,

Here is an example:

I publish a service to Internet

External IP: 200.49.210.27

The internal IP of the service is: 192.168.214.200

The Firewall has configured in its "eth2 leg" the IP 192.168.214.5

In this "example", I will need to configure the PROXY ARP?

Obs: My ClusterXL has a VIP with the Public IP 200.49.210.30

Cheers. 🙂

Re: NAT Manuals and their relationship with Proxy ARP.

PhoneBoy — Mon, 19 Jun 2023 16:41:00 GMT

Assuming 200.49.210.27 and your external IP are on the same subnet, yes.
The main thing is ensuring the traffic gets to the gateway.

While this wasn't always the case, Proxy ARPs are done are configure automatically for automatic NAT rules.
For manual NAT rules, in circumstances where a proxy arp is required, they must be configured manually.

Re: NAT Manuals and their relationship with Proxy ARP.

Matlu — Mon, 19 Jun 2023 17:07:14 GMT

Hello,

Is it "mandatory" that in all the Manual NAT rules that are worked in the Checkpoint, you need to work the "Proxy ARP", or this is "optional" or for "punctual cases"?

My doubt is because I have a ClusterXL environment, in which I have several NAT Manuals, but I "do not see" that the previous administrator, has worked with the PROXY ARP.

I consult the ARP table by CLI with "cat $FWDIR/conf/local.arp" and well, there is no result.

I just wanted to clarify the theory of the NAT Manuals, in relation to the PROXY ARP, since I have pending to publish a couple of services to Internet.

Greetings.

Re: NAT Manuals and their relationship with Proxy ARP.

Chris_Atkinson — Mon, 19 Jun 2023 23:39:58 GMT

No it's not mandatory as routing in some cases removes the need for proxy-arp as explained above.

Proxy-arp is only needed so other devices on the same subnet can reach that address which isn't the case if the interface address and NAT IP are parts of different network subnets and routing is responsible for forwarding traffic to the gateway.

Focus on what technically proxy-arp is and does and less on the NAT/CP portion to gain a better understanding.