cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Proxy ARP on R80.20

Hello

 

We have for sometime now been trying getting our Checkpoint Firewall to 1 to 1 NAT our VOIP phones.

What we just found out was that if we configure a 1 to 1 NAT rule like a /23 subnet to /23 subnet the firewall does not Proxy ARP the NAT subnet in case. 

A NAT rule with a /32 to /32 mask on it them will not work either.

However if we configure a 1 to 1 NAT rule wtih host objects like 1 host to 1 other host, the Proxy ARP works just fine.

This SK: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... seems not aplicable on R80.20 since the variable of: $CP_AUTO_ARP_FOR_MANUAL_NAT_RULES

is already "1" 

Is this a bug or what? 

 

//Johan

Tags (3)
0 Kudos
3 Replies

Re: Proxy ARP on R80.20

I would not use proxy ARP for a /23 at all, make sure that there is routing in place and don't make your gateway part of the /23 network.
Proxy ARP should only be needed and used when you have a smaller number of IP's that are on the external side of your gateway and you still want to use those addresses to forward traffic to some DMZ servers.
Regards, Maarten
0 Kudos

Re: Proxy ARP on R80.20

Then how would it work when it is described here in this guide: CP_R80.20_VoIP_AdminGuide.pdf if Proxy ARP in larger networks, is not possible in a Checkpiont Firewall?

 

/Johan

0 Kudos
Wolfgang
Silver

Re: Proxy ARP on R80.20

Johan,

as Maarten_Sjouw  mentioned. You don't need an interface on your gateway for these type of NAT.

You have to configure your (or your providers) upstream routers to route the external /23 subnet to your gateway.

And your NAT rule is simple with the internal /23 as original source and external /23 subnet as translated source.

If the packets routed through your gateway, there can be done NAT with these packets.

Wolfgang