[转] Checkpoint Manual NAT ARP Proxy


I do not know if some of you have had such a problem with Checkpoint Firewall, but every time a Manual Nat rule needs to be created, some administrators usually have this kind of problem.

In the SK30197 there are some links about Proxy ARP

Configuration Steps:

This configuration is based on two steps:

  1. Layer2-to-Layer3 matching (Ip address of internal host and MAC of the external interface)
  2. Nat Rules

Step 1 – Layer2-to-Layer3 matching

  1. Using local or ssh access to the Security Gateway, in Expert Mode, check if exist the file:
    1. (Expert@myfirewall)#ls $FWDIR/conf/local.arp

      if the result was “ls: /opt/CPsuite-R75.20/fw1/conf/local.arp: No such file or directory”, create a new file, else go to 2

    2. (Expert@myfirewall)#touch $FWDIR/conf/local.arp
  2. Edit the file with the command:

    (Expert@myfirewall)# vi $FEDIR/conf/local.arp

    172.16.5.20    00:B4:F3:A8:C1:33

     

    A brief summary of “vi” editor

    To access command mode in VI, press ESC

    i – Insert text before cursor

    a – Insert text after cursor

    r – Insert text in the beginning of the cursor line

    A – Insert text in the end of the cursor line

    o – Insert a line below the cursor line

    O – Insert a line above the cursor line

    X – delete the current character

    To Save the file: ESC :wq

     

The configuration of this file could change if you have a single gateway or a cluster:

    Single Gateway

IP of the published host         MAC-Address of the External Interface

Example:

Let´s consider the topology

Create the Objects

Firewall External ip address

FTP Server

Create before Sthealth rule a rule allowing ftp access to the gateway (In this example, we only have two public ips)

In Nat Tab, create a manual nat rule, publishing FTPServer

In Smartdashboard à Policy à Global Properties

In NAT section à Check the option “Merge manual proxy ARP configuration”


Automatic ARP Configurationis enabled by default – it ensures that ARP requests for a translated (NATed) machine, network or address range are answered by the Security Gateway.

Merge manual proxy ARP configuration merges the Automatic and Manual ARP configurations. Manual proxy ARP configuration is required for manual Static NAT rules. If a manual ARP configuration is defined in the $FWDIR/conf/local.arp file, and ‘Automatic ARP configuration‘ is enabled, both definitions are maintained. If there is a conflict between the definitions (the same NATed IP address appears in both), then the manual configuration is used.

If ‘Automatic ARP configuration‘ is enabled, but ‘Merge manual proxy ARP configuration‘ option is not enabled, then the Security Gateway ignores the entries in the$FWDIR/conf/local.arp file.

Check the box “Translate destination on client side“.

Translate destination on client side is enabled by default – it applies to packets originating at a Client, with the Server as its destination. Static NAT for the server is performed on the Client side of the Security Gateway.

 

Cluster Configuration

In a cluster configuration the sintax of local.arp file changes like below:

IP_address_of_Host_1_that_should_be_published MAC_address_of_member’s_physical_interface_on_External_network IP_address_of_member’s_physical_interface_on_External_network

 

For more information about cluster configuration, I highly recommend to read the sk30197.

 

Troubleshooting

If Proxy ARP fails consider read the SK 25851

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s