Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Walt_van_Staden
Explorer

Static NAT to DMZ Web Server on R80.10 Cluster (HA)

Hi,

I've been having trouble wrapping my head around something. The scenario is as follows:

ISP Router with multiple available public IP's --> CheckPoint 3000 Appliance Cluster --> Web server in DMZ

Now, I want to NAT https traffic from 10.10.10.10(one of the public IP's) to the web server (192.168.1.5) in the DMZ.  Should I create a proxy arp entry for this to work, and if I should, how exactly should it be done? I have created the Web Server object with a static NAT to the IP I want it to listen on and applied it to a firewall policy to permit https traffic from All_Internet to my server object. 

If someone can provide guidance on this, I would appreciate it. It has proven to be a bit more difficult than it seems.. Smiley Happy

Thanks in advance

0 Kudos
3 Replies
Timothy_Hall
Legend Legend
Legend

You didn't make clear whether you set up the static NAT via the automatic technique (going to NAT tab of the object itself) or using a manual NAT rule by directly adding it to the NAT rule base.

If you configured it using the automatic method, all you need to do is place that object in the destination of a firewall rule permitting access into it and install policy.  The firewall will automatically proxy ARP for the NAT address as needed (this assumes that the "Automatic ARP configuration" checkbox is set in the NAT global properties), you can verify this with the "fw ctl arp" command.  If you see your NAT address listed there, the active member of a ClusterXL cluster will automatically proxy ARP for it.

If you used the manual rule setup on an R77.30 or earlier gateway, you will have to add a static *proxy* ARP (NOT just a static ARP - big difference) to both cluster members via the Gaia web interface, and make sure that the "merge manual proxy ARP configuration" checkbox is selected (it is not enabled by default) in the global NAT properties of SmartDashboard.

If you configured the manual rule NAT on R80.10 gateway you can do the same static proxy ARP procedure, or you can follow the steps in this SK to enable automatic proxy ARPing for NAT addresses used in manual NAT rules:

sk114395: Automatic creation of Proxy ARP for Manual NAT rules on Security Gateway R80.10

This is a brand new feature for R80.10 but is disabled by default.  I have seen it in action and it works well.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Astardzhiev
Contributor

Tim,

Thank you for the info about automatic proxy arp for manual nat... I wasn't aware of this, definately will try it.

However I was wondering you do you know how it will work with HA cloning-group? Do you need to disable ARP again under cloning-group configuration?

0 Kudos
Astardzhiev
Contributor

You mentioned that this is HA deployment, if so and if you are using ClusterXL Cloning-Group you must remember to disable ARP in cloning-group. If ARP is enabled under cloning-group you are not able to configure proxy arp per member, which is a must if you are using Manual NAT.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events