I do not know if some of you have had such a problem with Checkpoint Firewall, but every time a Manual Nat rule needs to be created, some administrators usually have this kind of problem.
In the SK30197 there are some links about Proxy ARP
This configuration is based on two steps:
- Layer2-to-Layer3 matching (Ip address of internal host and MAC of the external interface)
- Nat Rules
Step 1 – Layer2-to-Layer3 matching
Using local or ssh access to the Security Gateway, in Expert Mode, check if exist the file:
if the result was “ls: /opt/CPsuite-R75.20/fw1/conf/local.arp: No such file or directory”, create a new file, else go to 2
- (Expert@myfirewall)#touch $FWDIR/conf/local.arp
Edit the file with the command:
(Expert@myfirewall)# vi $FEDIR/conf/local.arp
A brief summary of “vi” editor
To access command mode in VI, press ESC
i – Insert text before cursor
a – Insert text after cursor
r – Insert text in the beginning of the cursor line
A – Insert text in the end of the cursor line
o – Insert a line below the cursor line
O – Insert a line above the cursor line
X – delete the current character
To Save the file: ESC :wq
The configuration of this file could change if you have a single gateway or a cluster:
IP of the published host MAC-Address of the External Interface
Let´s consider the topology
Create the Objects
Firewall External ip address
Create before Sthealth rule a rule allowing ftp access to the gateway (In this example, we only have two public ips)
In Nat Tab, create a manual nat rule, publishing FTPServer
In Smartdashboard à Policy à Global Properties
In NAT section à Check the option “Merge manual proxy ARP configuration”
Automatic ARP Configurationis enabled by default – it ensures that ARP requests for a translated (NATed) machine, network or address range are answered by the Security Gateway.
Merge manual proxy ARP configuration merges the Automatic and Manual ARP configurations. Manual proxy ARP configuration is required for manual Static NAT rules. If a manual ARP configuration is defined in the $FWDIR/conf/local.arp file, and ‘Automatic ARP configuration‘ is enabled, both definitions are maintained. If there is a conflict between the definitions (the same NATed IP address appears in both), then the manual configuration is used.
If ‘Automatic ARP configuration‘ is enabled, but ‘Merge manual proxy ARP configuration‘ option is not enabled, then the Security Gateway ignores the entries in the$FWDIR/conf/local.arp file.
Check the box “Translate destination on client side“.
Translate destination on client side is enabled by default – it applies to packets originating at a Client, with the Server as its destination. Static NAT for the server is performed on the Client side of the Security Gateway.
In a cluster configuration the sintax of local.arp file changes like below:
IP_address_of_Host_1_that_should_be_published MAC_address_of_member’s_physical_interface_on_External_network IP_address_of_member’s_physical_interface_on_External_network
For more information about cluster configuration, I highly recommend to read the sk30197.
If Proxy ARP fails consider read the SK 25851