probably in future releases.
Thanks Dameon for prompt reply.

Thanks a lot Tim, this really helps. 

Here is a screenshot from the Second Edition of my book Max Power that nicely summarizes how to set this up:

--
My Book "Max Power: Check Point Firewall Performance Optimization"
Second Edition Coming Soon

Hi, Timothy. I was presented with this case today and your answer was very helpful! Still, I'm having trouble with the proxy ARP configuration, since I have to do it manually.

I created an address range object and configured the NAT rule accordingly, but I can't seem to add the proper Proxy ARP entry for source NAT, since I'm having trouble recognizing which would be the advertised IP and the real IP.

Could you please elaborate on this? Thanks in advance.

Precisely how the Proxy ARPs are added will depend on whether ClusterXL is in use and some other factors such as hardware platform.  Please check out the fairly lengthy sk30197: Configuring Proxy ARP for Manual NAT for the correct steps to use in your specific environment.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Tim,

Can you remind me if the Proxy ARP is still necessary when we are configuring manual NAT rule for hiding our encryption domain behind the IP/Range provided by the peer?

If the packets for those IPs would only arrive encrypted, proxy ARPs shouldn't be necessary.

As Dameon mentioned any IP addresses being tunneled by IPSec do not need a proxy ARP (even if they are plucked from your ISP-assigned routable range or dirty subnet) as the outside destination IP address on the ESP packet is just the external IP of the firewall for which it will already automatically answer ARP requests.

For NAT the only time proxy ARPs are required is when "plucking" NAT addresses from a subnet that is directly attached to the firewall itself.  In the real world this is most typically the so-called "dirty" subnet sitting between the firewall and the Internet perimeter router.  In most implementations all or at least a chunk of the ISP-assigned routable address space exists on the dirty subnet.  Any addresses plucked from that directly-attached dirty subnet for NAT will need Proxy ARP service provided by the firewall. 

However other portions of ISP-assigned space (whether they be different subnets adjacent or near to the dirty subnet, or a completely different routable subnet assigned by the ISP later when the original one was exhausted) are merely using the dirty subnet as a transit to reach the firewall and do not need Proxy ARPs as a result.  There will be static routes on the Internet perimeter router for these other routable subnets designating the firewall's outside address as the next hop, so there is no need for the Internet perimeter router to ARP for the destination IP addresses in those packets.  Proxy ARP is usually just for the benefit of the Internet perimeter router, regardless of whether your organization owns it or your ISP manages it.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Thank you.

I typically break down the public range and use it's small subnet between gateways/clusters and the ISP router. The other subnets of the public range are forwarded from the router to the external IP of the gateway or cluster for either use in DMZ(s) or NAT. This does remove the need for the Proxy ARP.

Hello,

I'm in the assumption that Proxy ARP is not needed when you translate the source address only. The router will learn the MAC address from the initial packet and everything will work. ( I'm never been in a situation where the return packet exceeded the time-out of the mac table. )

I'm only configuring Proxy ARP when doing a Destination NAT since the first packet will come from a router.

If a customer doesn't like proxy arp, you can always ask your ISP to put host routes to your VIP ip address for your "plucked" IP's.

Just confirming this is still working fine after turning Dynamic NAT off (also after having installed Hotfixes 002 and 050 for CCP issues causing blades and chassis to failover).

Hi Zaw,

All the steps you need to set up a many-to-fewer NAT are contained earlier in this thread, however if you still want to buy the book head to maxpowerfirewalls.com to look at the different PDF and/or hardcopy purchase options.

Just bought the Edition2 of the book and i highly recommend this, specially if you are running R80+, lots if insightful tips covered and best practices

Hi Tim,

Does the NAT space have to be contiguous IP space?  Could a network group be used with non contiguous IP space?

It has to be an IP Range object so by definition the addresses will have to be contiguous, at least in a single NAT Rule.  Trying to use a network object will cause a policy verification error; I'm pretty sure you are not allowed to use a group either.  Only one manual NAT rule can be matched for a particular connection, so unless you break up your internal networks as the source into multiple manual NAT rules I don't see how you could use non-contiguous ranges of addresses.