Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Harpreet_Singh1
Participant

Proxy ARP on GAIA

Jump to solution

Hi community, I've tried to google the topic but didn't find the answer.

The question is why it is required to add the entries to the Proxy ARP on GAIA to make the NAT work? Is there a possibility to enable dynamic arp so that no configuration is required to make an public IP reachable?

Thanks, Harpreet S.

0 Kudos
Reply
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
If you use Automatic NAT rules, the Proxy ARPs will be created for you.
Manual NAT rules still require proxy ARPs to be created.
In R80.x, automatic ARPs for Manual Source NAT rules can be created but this is not enabled by default.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

View solution in original post

10 Replies
PhoneBoy
Admin
Admin
If you use Automatic NAT rules, the Proxy ARPs will be created for you.
Manual NAT rules still require proxy ARPs to be created.
In R80.x, automatic ARPs for Manual Source NAT rules can be created but this is not enabled by default.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

View solution in original post

Harpreet_Singh1
Participant

Thank you. sk114395 answer's what I was after.

Why the feature is not enable by default? For more security?

0 Kudos
Reply
PhoneBoy
Admin
Admin

It's a change from the default behavior which people are accustomed to, thus why it is not the default.

0 Kudos
Reply
Wolfgang
Leader
Leader

Harpreet,

ther's another way to add a proxy arp entry to a gateway without configuring via the GAiA portal.

Add a host object with your external IP to your rulebase and configure automatic NAT (static). As NAT-IP use the same external IP, add the relevant gateway and do a policy install. With this host object the gateway adds an proxy arp entry to the the gateway.

proxy_arp1.PNGproxy_arp2.PNG

 

 

 

 

 

 

Wolfgang

Harpreet_Singh1
Participant

We create the specific NAT rules but trying to configure the object will be interesting. Thank you Wolfgang!

0 Kudos
Reply
Nirvs
Explorer

Hi Wolfgang,

 

How do i validate the proxy arp has been created successfully after the below steps has been ?

 

Thanks 

 

Nirvs

 

0 Kudos
Reply
Maarten_Sjouw
Champion
Champion
On the cli of the gateway type: fw clt arp
Regards, Maarten
0 Kudos
Reply
CSR
Contributor

Hi Wolfgang,

Will it work when Gateway external IP and NATED IP are from a different pool ??? I have tried to add the Proxy ARP entries as well but still unable to access the NATTEd server IP.

Please suggest.

 

Thanks,

CSR

 

0 Kudos
Reply
D_Schimanski
Employee
Employee

If they are from a different Pool/Subnet you would need to create a route that points to the firewall. ARP is not enough in this case.

0 Kudos
Reply
JackPrendergast
Collaborator

No -

You cant arp for a subnet that isnt attached to the actual interface. How would it route?

 

What are you trying to do?

0 Kudos
Reply