Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Iron

Hide NAT - Do i need proxy ARP as well?

Hi Everyone,

I have configured a handful of Hide NATs for a list of 8 internal IP addresses behind which multiple hosts will reside. These addresses will need to have outbound internet access.

I have configured the objects and also the Hide NAT as shown.  My upstream "user" says it's not working and that i need to configure proxy ARP for these IPs.  I see this traffic going out to the internet OK.

Capture.JPG

Capture2.PNG

Have i done everything correctly?

 

 

0 Kudos
3 Replies
Highlighted

The need of manual proxy ARP depends on some factors.

First of all if the NAT IP is part of the relevant interface subnet. If not, proxy ARP is not needed but a return-route.

If it is part of the subnet, then proxy ARP is needed, but if global properties are defined correctly by using automatic NAT (configured on objects) will create the relevant proxy ARP for you.

 
 

 

 
Highlighted

Were the 8 NAT addresses "plucked" from the so-called dirty segment between the firewall's external interface and your Internet perimeter router?  If so proxy ARPs are needed but assuming "Automatic ARP Configuration" is checked on the NAT Global Properties it should create them for you when you use the Automatic NAT setup (which is what you are doing).  Run command fw ctl arp to see what addresses the firewall believes it needs to provide proxy ARP service.

If the 8 addresses are not "plucked" and there is a different transit subnet in use on the dirty segment, proxy ARP is not needed but then these 8 addresses need to be properly routed inbound to your firewall via the transit subnet.  The Internet perimeter router needs a static route for these addresses/subnet pointing to the outside IP address of the firewall.  This assumes of course that these 8 addresses are actually being correctly routed to you over the Internet in the first place, to confirm try to traceroute to one of these addresses from somewhere else on the Internet outside the firewall.  Does it seem to be coming your way?  How far is it getting to you?

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
Highlighted
Iron

The NATted public addresses are part of the internet-facing /26

The RFC1918 inside addresses are part of an attached (VLAN) subnet.

I do have the NAT & ARP box ticked in global settings.

I do appear to have an entry for one of the NATs in "fw ctl arp"

I think, against all the odds, that i have done my set up correctly and the problem is upstream...

Thanks everyone.

0 Kudos