Did you use manual NAT rules or did you add the NAT IP in the object of the Webserver, if you do the latter, there will be an automatic Proxy ARP entry that will take care of that.

When using Manual NAT you need to make sure to add a Proxy ARP entry in clish:

  add arp proxy ipv4-address 123.123.123.123 macaddress 00:1c:7f:33:22:11 real-ip 123.123.123.122

123.123.123.123 is the NAT address for the Webserver, 00:1c:7f:33:22:11 is the MacAddress for the Internet interface and 123.123.123.122 is the Internet facing IP of the FW, now first push policy.

After the push you can check the availability of the Proxy ARP with:

  fw ctl arp

i used the configuration of the proxy arp above but keep getting the error message "
KERPHY0079 IP already has a MAC address mapping"

I am still stuck with stuck

I used ipv4-address 123.123.123.123 = the public IP mapped to the Webserver given by the isp 155.93.X.X

 macaddress 00:1c:7f:33:22:11 = Mac address of the external checkpoint interface connected to the router

real-ip 123.123.123.122 = the IP address of the external checkpoint interface connected to the router

Please correct me if i am wrong any where.

Are you running a cluster? Did you check that there was not already arp for this IP? 

Use fw ctl arp to check existing proxy arp's and see if you did not already assign the IP to another internal automatic NAT?

If you were previously terminating ISP on a Check Point, then it had the IP in the Public range assigned to its external interface.

Now you have introduced the router and are terminating ISP traffic on it.

Questions that should be answered and the points to be considered are:

1. Is the network between ISP and your router part of you public range?

2. If the answer for [1] "Yes", than what is the network between the router and the external interface of the firewall is defined as?

3. Do you perform 1:1 NAT on the router to get the inbound traffic translated to the external interface's IP range?

4. Do you have a simple Static NAT configured on the Web Server object that translates its actual IP to the IP in the range assigned to the external interface?

5. No manual ARP NAT configuration is required if Static NAT is defined in the properties of the web server.

1)YES. The ISP terminates on the router , so it is public ip address

2) There is a private IP between the Router and external interface of the Firewall

3) the is a NAT inside and NAT outside on the router.

4) I first did manual NAT and added a proxy arp it didnt work, then i did a static NAT on the webserver to translate the actual IP to the Public IP provided by the ISP(155.93.X.X) not the Private IP i assigned to the external firewall interface (192.168.X.X)

5) I removed the manual NAT when i configured the static NAT

From what you have asked so far, will you suggest i use a public IP between the external firewall interface and the router? Also should i rather map the webserver static NAT to the external interface of the firewall (which is currently a private IP)??

On the gateway, You can Statically NAT the private IP of the Web Server to one of the Private IPs in the range between firewall and the router.

You then configure static NAT on the router between that IP and one of the Public IPs.

There should be a route for that IP or the entire subnet on the router pointing to the external IP of the firewall as its next hop.

Your topology on the firewall should be configured to define its external interface.

Thus, inbound traffic will be NATed and forwarded to the Web Server and outbound traffic will be properly routed on its way back.