This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Rccou
Participant
‎2020-04-06 10:09 AM

Hide NAT - Do i need proxy ARP as well?

Hi Everyone,

I have configured a handful of Hide NATs for a list of 8 internal IP addresses behind which multiple hosts will reside. These addresses will need to have outbound internet access.

I have configured the objects and also the Hide NAT as shown.  My upstream "user" says it's not working and that i need to configure proxy ARP for these IPs.  I see this traffic going out to the internet OK.

Capture.JPG

Capture2.PNG

Have i done everything correctly?

 

 

0 Kudos
3 Replies
Norbert_Bohusch
Advisor
‎2020-04-06 10:14 AM

The need of manual proxy ARP depends on some factors.

First of all if the NAT IP is part of the relevant interface subnet. If not, proxy ARP is not needed but a return-route.

If it is part of the subnet, then proxy ARP is needed, but if global properties are defined correctly by using automatic NAT (configured on objects) will create the relevant proxy ARP for you.

 
 

 

 
Preview file
12 KB
Timothy_Hall
Champion
Champion
‎2020-04-06 10:16 AM

Were the 8 NAT addresses "plucked" from the so-called dirty segment between the firewall's external interface and your Internet perimeter router?  If so proxy ARPs are needed but assuming "Automatic ARP Configuration" is checked on the NAT Global Properties it should create them for you when you use the Automatic NAT setup (which is what you are doing).  Run command fw ctl arp to see what addresses the firewall believes it needs to provide proxy ARP service.

If the 8 addresses are not "plucked" and there is a different transit subnet in use on the dirty segment, proxy ARP is not needed but then these 8 addresses need to be properly routed inbound to your firewall via the transit subnet.  The Internet perimeter router needs a static route for these addresses/subnet pointing to the outside IP address of the firewall.  This assumes of course that these 8 addresses are actually being correctly routed to you over the Internet in the first place, to confirm try to traceroute to one of these addresses from somewhere else on the Internet outside the firewall.  Does it seem to be coming your way?  How far is it getting to you?

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
Rccou
Participant
‎2020-04-06 11:16 PM
In response to Timothy_Hall

The NATted public addresses are part of the internet-facing /26

The RFC1918 inside addresses are part of an attached (VLAN) subnet.

I do have the NAT & ARP box ticked in global settings.

I do appear to have an entry for one of the NATs in "fw ctl arp"

I think, against all the odds, that i have done my set up correctly and the problem is upstream...

Thanks everyone.

0 Kudos
Labels