This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ugur_Urel
Explorer
‎2022-09-07 03:11 AM

Allow ping for proxy arp ip address

Hi all,

Our firewall has several public ip addresses on external interface using proxy arp. Lets assume these public addresses are from 192.168.1.0 network.

Following ip addresses are assigned to interfaces directly;

  • 192.168.1.1 (node1)
  • 192.168.1.2 (node2)
  • 192.168.1.3 (cluster ip)

192.168.1.4 and 192.168.1.5 assigned using proxy arp.

I would like to allow ping the ip address 192.168.1.4 from internet. I have defined a rule for 192.168.1.4 with icmp echo-request, I can see in the logs that traffic accepted but I can not ping from internet. Also if I add 192.168.1.3(cluster ip) to this rule, I can ping 192.168.1.3 from internet. 

How can I allow this traffic? By the way "Merge manual proxy arp configuration" option in the global properties is checked.

0 Kudos
6 Replies
Chris_Atkinson
Employee Employee
Employee
‎2022-09-07 03:23 AM

You've not mentioned the NAT configuration, presumably there is an alive machine behind the proxy-arp address?

CCSM R77/R80/ELITE
0 Kudos
Ugur_Urel
Explorer
‎2022-09-07 03:32 AM
In response to Chris_Atkinson

Hi,

No, 192.168.1.4 is a host object on firewall and it is used in several nat rules for port forwarding.

0 Kudos
the_rock
Legend
Legend
‎2022-09-07 06:38 AM
In response to Ugur_Urel

Can you send screenshot of what nat rule looks like?

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-09-07 06:54 AM
In response to Ugur_Urel

Is the ICMP service covered in the scope of your NAT rules?

CCSM R77/R80/ELITE
RS_Daniel
Advisor
‎2022-09-07 09:27 AM

Hello,

To get ping working you must have an alive machine behind the IP 192.168.1.4 as Chris mentioned. You mentioned you have many manual NATs for this IP, so you must also create a Manual NAT for icmp also, the problem is that icmp services can not be used on a NAT rule, you must use option "Any" to NAT icmp traffic, it should not be a problem, just place this NAT rule with option ANY after all your current manual NAT rules with specific objects. The translated dest could be the internal IP address of the cluster in order to make the firewall answer the icmp requests, or any other internal IP address you want.

Regards

Ugur_Urel
Explorer
‎2022-09-08 12:22 AM
In response to RS_Daniel

Hello RS_Daniel,

 

Thank you very much for your detailed explanation. As you have mentioned, I tried to use icmp rule in the nat rule but couldn't install because of verification problem so I thought we can not nat icmp traffic. I tried your method and it is working now.

Thanks a lot to everyone for their help.

Have a great day!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events