Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
AlexandruD
Contributor
Jump to solution

proxy ARP for Office Mode allocated IP addresses

Hello,

I've replaced a Cisco ASA firewall for a customer with an 1570 cluster (Cluster XL, R80.20.50). The IP pool of addresses allocated to the VPN clients is 10.16.100.0/24, while the LAN interface (LAN1) has the 10.16.0.0/16 prefix configured. The issue I've noticed is that the security gateway does not answer to ARP requests within the LAN network for IP addresses it allocates to connected VPN clients (Check Point Mobile E86.70) . Has anyone managed to have a similar setup working?

Thank you,

Alexandru

1 Solution

Accepted Solutions
Chris_Atkinson
Employee Employee
Employee

How is the /16 used in the LAN directly on the interface or routed onward?

Proxy-ARP is usually for individual hide-NAT IPs rather than a whole subnet, maybe a non overlapping subnet would serve your purposes better here.

CCSM R77/R80/ELITE

View solution in original post

9 Replies
Chris_Atkinson
Employee Employee
Employee

How is the /16 used in the LAN directly on the interface or routed onward?

Proxy-ARP is usually for individual hide-NAT IPs rather than a whole subnet, maybe a non overlapping subnet would serve your purposes better here.

CCSM R77/R80/ELITE
AlexandruD
Contributor

I mentioned that, the LAN interface (LAN1) has the 10.16.0.0/16 prefix configured. Changing to a non overlapping pool for VPN clients might affect anything in the current setup (such as IP address based access control of VPN clients within the LAN).

0 Kudos
_Val_
Admin
Admin

I do not see any other option, I am afraid. Either you configure a non-overlapping pool, or you set up network routes pointing to the FW interface for IP Pool subnet. 

0 Kudos
AlexandruD
Contributor

We ended up in setting the VPN clients pool as a non-overlapping prefix.

0 Kudos
_Val_
Admin
Admin

Firstly, an admin note. Moved your post to the correct space.

Secondly, why would you need ARP proxy for Ip Pool addresses? You need to route them back to your VPN GW in the internal network. 

In your specific case it is the best to use a different network instead of a subset of the existing one.

0 Kudos
AlexandruD
Contributor

The security gateway needs to respond to ARP requests for IP addresses it allocates to connected VPN clients (call it proxy ARP or otherwise), because these addresses are part of the LAN prefix of the gateway, and therefore, of the network prefix of any host connected to the LAN network. So the LAN hosts cannot send packets to the connected VPN client unless the security gateway responds to ARP requests with its own LAN interface MAC address. I hope this clarifies it.

It is better to keep such an addressing scheme since any change might affect established ways of achieveing connectivity (such as access control based on source IP addesses allocated to VPN clients).

0 Kudos
_Val_
Admin
Admin

The issue should be raised during the design phase. 

As I mentioned in another comment, I do not see many alternatives here. We usually do proxy ARP for NAT, on an external interface only. In your case, it is something else entirely.


0 Kudos
PointOfChecking
Collaborator

where do I configure proxy arp on the quantum spark 1800?

In the 3600 we do it in the local.arp file or via the portal under network management > ARP > Proxy ARP.

I can't find it on the quantum spark.

 

Thanks!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events