Check Point VSX manual proxy arp configuration

book

Article ID: 167874

calendar_today

Updated On:

Products

XOS

Issue/Introduction

Check Point VSX manual proxy arp configurationWhen configuring NAT on VSX it is necessary to resolve the MAC address for NATed IPs to allow proper communication on Ethernet networks.

Cause

This solution describes how to use a manual proxy ARP configuration with the Check Point VSX application on a Crossbeam Platform.

In the VSX environment and when the Virtual System (VS) is not attached to a Virtual Router, the customer may want to configure a virtual NAT address which is located on the same subnet as the physical interface.

The network configuration would be, for example:
User-added image

The NAT address would be 192.168.1.10 and would be attached to the same subnet of the physical IP 192.168.1.1

Resolution

Configuration Considerations

The only way to resolve the MAC address for the NATed address is to use a proxy-arp mechanism.

Due to the nature of VSX and its automatic provisioning method of the Crossbeam components, the easiest solution is to perform a local configuration for the Check Point automatic-arp configuration.

In order to have the proxy ARP functionnality from Check Point activated, you can perform the following actions for a given VS on which you need to activate NAT.


Configuration Steps

1. Identify the MAC-address you want to reply with for a given IP address
  • show vrrp virtual-router
OR
  • show ip-mapping then show interface xxx
2. Identify the VS ID on which you need to activate the specific ARP address

  • vsx stat -v
 
The VSX Stat output

ID   | Type & Name           | Security Policy | Installed at    | SIC Stat
-----+-----------------------+-----------------+-----------------+---------
1    | S CBS_testvapgroup_1  | Standard        | 25Aug2009 14:54 | Trust


 
3. move into the directory structure for the VS1

  • cd $FWDIR/CTX/CTX0001/conf
  1. Create a local.arp file with the structure described below

    <NAT IP> <VRRP MAC address of external interface of Firewall> <vrrp ip address of the Firewall interface>
    192.168.1.10 00:00:5E:00:00:0E 192.168.1.1


    Note:
    192.168.1.10: corresponds to the NAT address
    00:00:5E:00:00:0E corresponds to the MAC address which needs to be answered for this IP.
    192.168.1.1: corresponds to the interface address (entered into VSX)

     
  2. Perform the same action on each VAP in theVAP group and all VAPs in the cluster
  3. Set in the Smartdashboard Policy/Global Properties/NAT
    • Enable : Automatic ARP and Merge manual proxy ARP configuration
4. Push the security policy
5. Check ARP entry on APM, VS1

   testvapgroup_1 (CBS): [vs1] root$ fw ctl -vs xxx arp
  (where xxx corresponds to the VS ID)
(192.168.1.10) at 00-00-5E-00-00-0E interface 192.168.1.1

Workaround

N/A

Attachments