Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ugur_Urel
Explorer

Allow ping for proxy arp ip address

Hi all,

Our firewall has several public ip addresses on external interface using proxy arp. Lets assume these public addresses are from 192.168.1.0 network.

Following ip addresses are assigned to interfaces directly;

  • 192.168.1.1 (node1)
  • 192.168.1.2 (node2)
  • 192.168.1.3 (cluster ip)

192.168.1.4 and 192.168.1.5 assigned using proxy arp.

I would like to allow ping the ip address 192.168.1.4 from internet. I have defined a rule for 192.168.1.4 with icmp echo-request, I can see in the logs that traffic accepted but I can not ping from internet. Also if I add 192.168.1.3(cluster ip) to this rule, I can ping 192.168.1.3 from internet. 

How can I allow this traffic? By the way "Merge manual proxy arp configuration" option in the global properties is checked.

0 Kudos
6 Replies
Chris_Atkinson
Employee Employee
Employee

You've not mentioned the NAT configuration, presumably there is an alive machine behind the proxy-arp address?

CCSM R77/R80/ELITE
0 Kudos
Ugur_Urel
Explorer

Hi,

No, 192.168.1.4 is a host object on firewall and it is used in several nat rules for port forwarding.

0 Kudos
the_rock
Legend
Legend

Can you send screenshot of what nat rule looks like?

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Is the ICMP service covered in the scope of your NAT rules?

CCSM R77/R80/ELITE
RS_Daniel
Advisor

Hello,

To get ping working you must have an alive machine behind the IP 192.168.1.4 as Chris mentioned. You mentioned you have many manual NATs for this IP, so you must also create a Manual NAT for icmp also, the problem is that icmp services can not be used on a NAT rule, you must use option "Any" to NAT icmp traffic, it should not be a problem, just place this NAT rule with option ANY after all your current manual NAT rules with specific objects. The translated dest could be the internal IP address of the cluster in order to make the firewall answer the icmp requests, or any other internal IP address you want.

Regards

Ugur_Urel
Explorer

Hello RS_Daniel,

 

Thank you very much for your detailed explanation. As you have mentioned, I tried to use icmp rule in the nat rule but couldn't install because of verification problem so I thought we can not nat icmp traffic. I tried your method and it is working now.

Thanks a lot to everyone for their help.

Have a great day!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events