- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- Proxy ARP on R80.20
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Proxy ARP on R80.20
Hello
We have for sometime now been trying getting our Checkpoint Firewall to 1 to 1 NAT our VOIP phones.
What we just found out was that if we configure a 1 to 1 NAT rule like a /23 subnet to /23 subnet the firewall does not Proxy ARP the NAT subnet in case.
A NAT rule with a /32 to /32 mask on it them will not work either.
However if we configure a 1 to 1 NAT rule wtih host objects like 1 host to 1 other host, the Proxy ARP works just fine.
This SK: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... seems not aplicable on R80.20 since the variable of: $CP_AUTO_ARP_FOR_MANUAL_NAT_RULES
is already "1"
Is this a bug or what?
//Johan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Proxy ARP should only be needed and used when you have a smaller number of IP's that are on the external side of your gateway and you still want to use those addresses to forward traffic to some DMZ servers.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Then how would it work when it is described here in this guide: CP_R80.20_VoIP_AdminGuide.pdf if Proxy ARP in larger networks, is not possible in a Checkpiont Firewall?
/Johan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Johan,
as Maarten_Sjouw mentioned. You don't need an interface on your gateway for these type of NAT.
You have to configure your (or your providers) upstream routers to route the external /23 subnet to your gateway.
And your NAT rule is simple with the internal /23 as original source and external /23 subnet as translated source.
If the packets routed through your gateway, there can be done NAT with these packets.
Wolfgang