- Products
- Learn
- Local User Groups
- Partners
- More
CheckMates Fifth Birthday
Celebrate with Us!
days
hours
minutes
seconds
Join the CHECKMATES Everywhere Competition
Submit your picture to win!
Check Point Proactive support
Free trial available for 90 Days!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
The 2022 MITRE Engenuity ATT&CK®
Evaluations Results Are In!
Now Available: SmartAwareness Security Training
Training Built to Educate and Engage
MITRE ATT&CK
Inside Check Point products!
CheckFlix!
All Videos In One Space
Hi Everyone,
I have configured a handful of Hide NATs for a list of 8 internal IP addresses behind which multiple hosts will reside. These addresses will need to have outbound internet access.
I have configured the objects and also the Hide NAT as shown. My upstream "user" says it's not working and that i need to configure proxy ARP for these IPs. I see this traffic going out to the internet OK.
Have i done everything correctly?
The need of manual proxy ARP depends on some factors.
First of all if the NAT IP is part of the relevant interface subnet. If not, proxy ARP is not needed but a return-route.
If it is part of the subnet, then proxy ARP is needed, but if global properties are defined correctly by using automatic NAT (configured on objects) will create the relevant proxy ARP for you.
Were the 8 NAT addresses "plucked" from the so-called dirty segment between the firewall's external interface and your Internet perimeter router? If so proxy ARPs are needed but assuming "Automatic ARP Configuration" is checked on the NAT Global Properties it should create them for you when you use the Automatic NAT setup (which is what you are doing). Run command fw ctl arp to see what addresses the firewall believes it needs to provide proxy ARP service.
If the 8 addresses are not "plucked" and there is a different transit subnet in use on the dirty segment, proxy ARP is not needed but then these 8 addresses need to be properly routed inbound to your firewall via the transit subnet. The Internet perimeter router needs a static route for these addresses/subnet pointing to the outside IP address of the firewall. This assumes of course that these 8 addresses are actually being correctly routed to you over the Internet in the first place, to confirm try to traceroute to one of these addresses from somewhere else on the Internet outside the firewall. Does it seem to be coming your way? How far is it getting to you?
The NATted public addresses are part of the internet-facing /26
The RFC1918 inside addresses are part of an attached (VLAN) subnet.
I do have the NAT & ARP box ticked in global settings.
I do appear to have an entry for one of the NATs in "fw ctl arp"
I think, against all the odds, that i have done my set up correctly and the problem is upstream...
Thanks everyone.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY