Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
a3498881-aa5d-4
Participant

Proxy Arp Question

Hello CP community,

I have a question about when to use proxy arp. I have a cluster setup with manual nat. Traffic from a specific external IP that resides on the same external subnet going to the cluster's eth1.101 external VIP will get natted to an internal host on the cluster's eth0.100 VLAN. Vice-versa, the host replying to this traffic will have its internal eth0.100 VLAN addresses natted to the cluster's external eth1.101  VIP.

Is there a requirement for proxy arp or is the latter only used if it is an IP that is not defined on any cluster member interface or the clusterXL's VIP?

MANUAL NAT RULES:

Original SrcOriginal DstOriginal SrvTranslated SrcTranslated DstTranslated Srv
1.1.1.11.1.1.254 (VIP)anyOriginal192.168.1.10 (internal host)Original
192.168.1.10 (internal host)1.1.1.1any1.1.1.254 (VIP)1.1.1.1Original

 

Thanks in advance.

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

I don't think you can do this sort of NAT for the VIP as the VIP is already subject to NAT (specifically to the active cluster member).
You might be able to do it for a specific service, though that may not work either. 
In which case you wouldn't need a proxy arp.

a3498881-aa5d-4
Participant

Thanks Phoneboy.

I called Check Point this morning about this and they do not believe it to be an issue. They pointed me to:  Proxy Issue with NAT 

They mentioned the SK references it was fixed in R80.10+ but concerned based on your response. Any further input would be greatly appreciated.

 

0 Kudos
PhoneBoy
Admin
Admin

So...maybe this isn't an issue based on: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
However, in this case, they are mentioning use of a specific service, which I'm pretty confident will work.
What is the precise use case for using service "any" in this case?

0 Kudos
a3498881-aa5d-4
Participant

No specific use case for "any". I just wanted to permit both ICMP and Modbus with a minimal amount of NAT rules. Access to/from would be limited via the policy restricting communication specifically from the source/destination/services. I am also seeing whether I can get another external IP for automatic NAT for the internal host which seems like the right approach based on the limited documentation available. Once implemented, it will be very difficult for us to change due to the criticality of the traffic and limited maintenance windows.

0 Kudos
PhoneBoy
Admin
Admin

For ICMP to work, I believe any is required.
I would work to get a different external IP.

a3498881-aa5d-4
Participant

Thanks again for the input. I will proceed with getting an additional external IP. One last question if you don't mind. If I am setting up an automatic NAT done through the host object for external communications, do I require a manual no-nat rule for traffic between the host and other internal networks?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events