This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AlexandruD
Contributor
‎2022-11-22 05:27 AM
Jump to solution

proxy ARP for Office Mode allocated IP addresses

Hello,

I've replaced a Cisco ASA firewall for a customer with an 1570 cluster (Cluster XL, R80.20.50). The IP pool of addresses allocated to the VPN clients is 10.16.100.0/24, while the LAN interface (LAN1) has the 10.16.0.0/16 prefix configured. The issue I've noticed is that the security gateway does not answer to ARP requests within the LAN network for IP addresses it allocates to connected VPN clients (Check Point Mobile E86.70) . Has anyone managed to have a similar setup working?

Thank you,

Alexandru

1 Solution

Accepted Solutions
Chris_Atkinson
Employee Employee
Employee
‎2022-11-22 06:30 AM
Jump to solution

How is the /16 used in the LAN directly on the interface or routed onward?

Proxy-ARP is usually for individual hide-NAT IPs rather than a whole subnet, maybe a non overlapping subnet would serve your purposes better here.

CCSM R77/R80/ELITE

View solution in original post

9 Replies
Chris_Atkinson
Employee Employee
Employee
‎2022-11-22 06:30 AM
Jump to solution

How is the /16 used in the LAN directly on the interface or routed onward?

Proxy-ARP is usually for individual hide-NAT IPs rather than a whole subnet, maybe a non overlapping subnet would serve your purposes better here.

CCSM R77/R80/ELITE
AlexandruD
Contributor
‎2022-11-22 06:37 AM
In response to Chris_Atkinson
Jump to solution

I mentioned that, the LAN interface (LAN1) has the 10.16.0.0/16 prefix configured. Changing to a non overlapping pool for VPN clients might affect anything in the current setup (such as IP address based access control of VPN clients within the LAN).

0 Kudos
_Val_
Admin
Admin
‎2022-11-22 07:27 AM
In response to AlexandruD
Jump to solution

I do not see any other option, I am afraid. Either you configure a non-overlapping pool, or you set up network routes pointing to the FW interface for IP Pool subnet. 

0 Kudos
AlexandruD
Contributor
‎2023-06-07 05:40 AM
In response to Chris_Atkinson
Jump to solution

We ended up in setting the VPN clients pool as a non-overlapping prefix.

0 Kudos
_Val_
Admin
Admin
‎2022-11-22 06:53 AM
Jump to solution

Firstly, an admin note. Moved your post to the correct space.

Secondly, why would you need ARP proxy for Ip Pool addresses? You need to route them back to your VPN GW in the internal network. 

In your specific case it is the best to use a different network instead of a subset of the existing one.

0 Kudos
AlexandruD
Contributor
‎2022-11-22 07:01 AM
In response to _Val_
Jump to solution

The security gateway needs to respond to ARP requests for IP addresses it allocates to connected VPN clients (call it proxy ARP or otherwise), because these addresses are part of the LAN prefix of the gateway, and therefore, of the network prefix of any host connected to the LAN network. So the LAN hosts cannot send packets to the connected VPN client unless the security gateway responds to ARP requests with its own LAN interface MAC address. I hope this clarifies it.

It is better to keep such an addressing scheme since any change might affect established ways of achieveing connectivity (such as access control based on source IP addesses allocated to VPN clients).

0 Kudos
_Val_
Admin
Admin
‎2022-11-22 07:35 AM
In response to AlexandruD
Jump to solution

The issue should be raised during the design phase. 

As I mentioned in another comment, I do not see many alternatives here. We usually do proxy ARP for NAT, on an external interface only. In your case, it is something else entirely.


0 Kudos
PointOfChecking
Collaborator
‎2023-02-02 08:34 AM
In response to _Val_
Jump to solution

where do I configure proxy arp on the quantum spark 1800?

In the 3600 we do it in the local.arp file or via the portal under network management > ARP > Proxy ARP.

I can't find it on the quantum spark.

 

Thanks!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events