This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
Advisor
‎2023-06-18 01:45 PM

NAT Manuals and their relationship with Proxy ARP.

Hello, everybody.

Is it mandatory to always work with the "Proxy ARP" table from Gaia Portal or Gaia CLISH, for what is the NAT MANUALS, of a service publication?

I have seen documentation, in which they make reference that we must work with this table, when we need to make publications to the Internet.
Is it strictly obligatory, to work the table?

Is there a way to simply create your manual NAT rules and avoid touching the ARP proxy table?

Thanks for your comments.

0 Kudos
7 Replies
Chris_Atkinson
Employee Employee
Employee
‎2023-06-18 04:02 PM

Depends on whether the NAT IPs are in the same subnet as your interface IP or if they are in a different subnet routed directly towards the firewall.

CCSM R77/R80/ELITE
Matlu
Advisor
‎2023-06-19 06:33 AM
In response to Chris_Atkinson

Hello,

I find it difficult to interpret your idea.

For example, my Real IP has the segment 10.7.53.x [An IP of this segment is configured in a Firewall leg].

 

The NAT IP that we have, is an IP that is "invented" that has nothing to do with the segments that are configured in the Firewall.

 

Then, when a publication to the Internet is required, it is "mandatory" to work with the "Proxy ARP"????

Greetings.

0 Kudos
Blason_R
Leader
Leader
‎2023-06-19 06:49 AM
In response to Matlu

As @Chris_Atkinson mentioned if your Natted IP and interface IP falls in a same subnet then you will have to use proxy arp. 

Its simple and understand that if machine responds to other machine from same network it broadcast the ARP to make the discovery. Similaryl if natted IP and firewall interface are from same subnet then you need to add Proxy Arp

 

e.g.

Original Source  IP : 1.2.3.4

Firewall interface IP: 5.6.7.8

natted IP : 5.6.7.9

Translated Destionation ip : 172.16.1.2

Then you will have to add Proxy arp for 5.6.7.9 

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Matlu
Advisor
‎2023-06-19 09:07 AM
In response to Blason_R

Hello,

Just so I'm clear on the idea,

Here is an example:

I publish a service to Internet

External IP: 200.49.210.27

The internal IP of the service is: 192.168.214.200

The Firewall has configured in its "eth2 leg" the IP 192.168.214.5

In this "example", I will need to configure the PROXY ARP?

Obs: My ClusterXL has a VIP with the Public IP 200.49.210.30

Cheers. 🙂

0 Kudos
PhoneBoy
Admin
Admin
‎2023-06-19 09:41 AM
In response to Matlu

Assuming 200.49.210.27 and your external IP are on the same subnet, yes.
The main thing is ensuring the traffic gets to the gateway.

While this wasn't always the case, Proxy ARPs are done are configure automatically for automatic NAT rules.
For manual NAT rules, in circumstances where a proxy arp is required, they must be configured manually. 

0 Kudos
Matlu
Advisor
‎2023-06-19 10:07 AM
In response to PhoneBoy

Hello,

Is it "mandatory" that in all the Manual NAT rules that are worked in the Checkpoint, you need to work the "Proxy ARP", or this is "optional" or for "punctual cases"?

My doubt is because I have a ClusterXL environment, in which I have several NAT Manuals, but I "do not see" that the previous administrator, has worked with the PROXY ARP.

I consult the ARP table by CLI with "cat $FWDIR/conf/local.arp" and well, there is no result.

I just wanted to clarify the theory of the NAT Manuals, in relation to the PROXY ARP, since I have pending to publish a couple of services to Internet.

Greetings.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-06-19 04:18 PM
In response to Matlu

No it's not mandatory as routing in some cases removes the need for proxy-arp as explained above.

Proxy-arp is only needed so other devices on the same subnet can reach that address which isn't the case if the interface address and NAT IP are parts of different network subnets and routing is responsible for forwarding traffic to the gateway.

Focus on what technically proxy-arp is and does and less on the NAT/CP portion to gain a better understanding. 

CCSM R77/R80/ELITE

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events