Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
AlexandruD
Explorer

proxy ARP for Office Mode allocated IP addresses

Hello,

I've replaced a Cisco ASA firewall for a customer with an 1570 cluster (Cluster XL, R80.20.50). The IP pool of addresses allocated to the VPN clients is 10.16.100.0/24, while the LAN interface (LAN1) has the 10.16.0.0/16 prefix configured. The issue I've noticed is that the security gateway does not answer to ARP requests within the LAN network for IP addresses it allocates to connected VPN clients (Check Point Mobile E86.70) . Has anyone managed to have a similar setup working?

Thank you,

Alexandru

0 Kudos
6 Replies
Chris_Atkinson
Employee
Employee

How is the /16 used in the LAN directly on the interface or routed onward?

Proxy-ARP is usually for individual hide-NAT IPs rather than a whole subnet, maybe a non overlapping subnet would serve your purposes better here.

0 Kudos
AlexandruD
Explorer

I mentioned that, the LAN interface (LAN1) has the 10.16.0.0/16 prefix configured. Changing to a non overlapping pool for VPN clients might affect anything in the current setup (such as IP address based access control of VPN clients within the LAN).

0 Kudos
_Val_
Admin
Admin

I do not see any other option, I am afraid. Either you configure a non-overlapping pool, or you set up network routes pointing to the FW interface for IP Pool subnet. 

0 Kudos
_Val_
Admin
Admin

Firstly, an admin note. Moved your post to the correct space.

Secondly, why would you need ARP proxy for Ip Pool addresses? You need to route them back to your VPN GW in the internal network. 

In your specific case it is the best to use a different network instead of a subset of the existing one.

0 Kudos
AlexandruD
Explorer

The security gateway needs to respond to ARP requests for IP addresses it allocates to connected VPN clients (call it proxy ARP or otherwise), because these addresses are part of the LAN prefix of the gateway, and therefore, of the network prefix of any host connected to the LAN network. So the LAN hosts cannot send packets to the connected VPN client unless the security gateway responds to ARP requests with its own LAN interface MAC address. I hope this clarifies it.

It is better to keep such an addressing scheme since any change might affect established ways of achieveing connectivity (such as access control based on source IP addesses allocated to VPN clients).

0 Kudos
_Val_
Admin
Admin

The issue should be raised during the design phase. 

As I mentioned in another comment, I do not see many alternatives here. We usually do proxy ARP for NAT, on an external interface only. In your case, it is something else entirely.


0 Kudos