Proxy ARP on R80.20

Johan_Rudberg · ‎2019-10-10

Hello

We have for sometime now been trying getting our Checkpoint Firewall to 1 to 1 NAT our VOIP phones.

What we just found out was that if we configure a 1 to 1 NAT rule like a /23 subnet to /23 subnet the firewall does not Proxy ARP the NAT subnet in case.

A NAT rule with a /32 to /32 mask on it them will not work either.

However if we configure a 1 to 1 NAT rule wtih host objects like 1 host to 1 other host, the Proxy ARP works just fine.

This SK: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... seems not aplicable on R80.20 since the variable of: $CP_AUTO_ARP_FOR_MANUAL_NAT_RULES

is already "1"

Is this a bug or what?

//Johan

Maarten_Sjouw · ‎2019-10-10

I would not use proxy ARP for a /23 at all, make sure that there is routing in place and don't make your gateway part of the /23 network.
Proxy ARP should only be needed and used when you have a smaller number of IP's that are on the external side of your gateway and you still want to use those addresses to forward traffic to some DMZ servers.

Regards, Maarten

Johan_Rudberg · ‎2019-10-10

Then how would it work when it is described here in this guide: CP_R80.20_VoIP_AdminGuide.pdf if Proxy ARP in larger networks, is not possible in a Checkpiont Firewall?

/Johan

Wolfgang · ‎2019-10-10

Johan,

as Maarten_Sjouw mentioned. You don't need an interface on your gateway for these type of NAT.

You have to configure your (or your providers) upstream routers to route the external /23 subnet to your gateway.

And your NAT rule is simple with the internal /23 as original source and external /23 subnet as translated source.

If the packets routed through your gateway, there can be done NAT with these packets.

Wolfgang