- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hi Everyone,
I have configured a handful of Hide NATs for a list of 8 internal IP addresses behind which multiple hosts will reside. These addresses will need to have outbound internet access.
I have configured the objects and also the Hide NAT as shown. My upstream "user" says it's not working and that i need to configure proxy ARP for these IPs. I see this traffic going out to the internet OK.
Have i done everything correctly?
The need of manual proxy ARP depends on some factors.
First of all if the NAT IP is part of the relevant interface subnet. If not, proxy ARP is not needed but a return-route.
If it is part of the subnet, then proxy ARP is needed, but if global properties are defined correctly by using automatic NAT (configured on objects) will create the relevant proxy ARP for you.
Were the 8 NAT addresses "plucked" from the so-called dirty segment between the firewall's external interface and your Internet perimeter router? If so proxy ARPs are needed but assuming "Automatic ARP Configuration" is checked on the NAT Global Properties it should create them for you when you use the Automatic NAT setup (which is what you are doing). Run command fw ctl arp to see what addresses the firewall believes it needs to provide proxy ARP service.
If the 8 addresses are not "plucked" and there is a different transit subnet in use on the dirty segment, proxy ARP is not needed but then these 8 addresses need to be properly routed inbound to your firewall via the transit subnet. The Internet perimeter router needs a static route for these addresses/subnet pointing to the outside IP address of the firewall. This assumes of course that these 8 addresses are actually being correctly routed to you over the Internet in the first place, to confirm try to traceroute to one of these addresses from somewhere else on the Internet outside the firewall. Does it seem to be coming your way? How far is it getting to you?
The NATted public addresses are part of the internet-facing /26
The RFC1918 inside addresses are part of an attached (VLAN) subnet.
I do have the NAT & ARP box ticked in global settings.
I do appear to have an entry for one of the NATs in "fw ctl arp"
I think, against all the odds, that i have done my set up correctly and the problem is upstream...
Thanks everyone.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY