Solved: Re: proxy ARP for Office Mode allocated IP address...

AlexandruD · ‎2022-11-22

Hello,

I've replaced a Cisco ASA firewall for a customer with an 1570 cluster (Cluster XL, R80.20.50). The IP pool of addresses allocated to the VPN clients is 10.16.100.0/24, while the LAN interface (LAN1) has the 10.16.0.0/16 prefix configured. The issue I've noticed is that the security gateway does not answer to ARP requests within the LAN network for IP addresses it allocates to connected VPN clients (Check Point Mobile E86.70) . Has anyone managed to have a similar setup working?

Thank you,

Alexandru

Chris_Atkinson · ‎2022-11-22

How is the /16 used in the LAN directly on the interface or routed onward?

Proxy-ARP is usually for individual hide-NAT IPs rather than a whole subnet, maybe a non overlapping subnet would serve your purposes better here.

CCSM R77/R80/ELITE

View solution in original post

Chris_Atkinson · ‎2022-11-22

How is the /16 used in the LAN directly on the interface or routed onward?

Proxy-ARP is usually for individual hide-NAT IPs rather than a whole subnet, maybe a non overlapping subnet would serve your purposes better here.

CCSM R77/R80/ELITE

AlexandruD · ‎2022-11-22

I mentioned that, the LAN interface (LAN1) has the 10.16.0.0/16 prefix configured. Changing to a non overlapping pool for VPN clients might affect anything in the current setup (such as IP address based access control of VPN clients within the LAN).

_Val_ · ‎2022-11-22

I do not see any other option, I am afraid. Either you configure a non-overlapping pool, or you set up network routes pointing to the FW interface for IP Pool subnet.

AlexandruD · ‎2023-06-07

We ended up in setting the VPN clients pool as a non-overlapping prefix.

_Val_ · ‎2022-11-22

Firstly, an admin note. Moved your post to the correct space.

Secondly, why would you need ARP proxy for Ip Pool addresses? You need to route them back to your VPN GW in the internal network.

In your specific case it is the best to use a different network instead of a subset of the existing one.

AlexandruD · ‎2022-11-22

The security gateway needs to respond to ARP requests for IP addresses it allocates to connected VPN clients (call it proxy ARP or otherwise), because these addresses are part of the LAN prefix of the gateway, and therefore, of the network prefix of any host connected to the LAN network. So the LAN hosts cannot send packets to the connected VPN client unless the security gateway responds to ARP requests with its own LAN interface MAC address. I hope this clarifies it.

It is better to keep such an addressing scheme since any change might affect established ways of achieveing connectivity (such as access control based on source IP addesses allocated to VPN clients).

_Val_ · ‎2022-11-22

The issue should be raised during the design phase.

As I mentioned in another comment, I do not see many alternatives here. We usually do proxy ARP for NAT, on an external interface only. In your case, it is something else entirely.

PointOfChecking · ‎2023-02-02

where do I configure proxy arp on the quantum spark 1800?

In the 3600 we do it in the local.arp file or via the portal under network management > ARP > Proxy ARP.

I can't find it on the quantum spark.

Thanks!

Wolfgang · ‎2023-02-02

@PointOfChecking look here Configuring Proxy ARP for Manual Static NAT on SMB appliances

Are you a member of CheckMates?

proxy ARP for Office Mode allocated IP addresses