ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.
Proxy-ARP on a Crossbeam SBHA X-Series Platform with Checkpoint manual NAT
Article ID: 168120
Updated On:
Products
XOS
Issue/Introduction
Configuring manual NAT on a Crossbeam chassis in a single box configuration requires proxy-ARP to be manually configured.When using Manual NAT in Checkpoint FW the proxy-ARP table will not be populated automatically. This can be confirmed with the "fw ctl arp" command on the VAP member.
If you use Automatic NAT this table will be automatically populated but that NAT instance will appear across all policies.
If you use Automatic NAT this table will be automatically populated but that NAT instance will appear across all policies.
Cause
N/A
Resolution
Turn on proxy-arp on the outside interface. In conjunction with the proxy-arp setting, you will need to place a host route for the NAT destination pointing to the inside translated destination. Below is an example of the Crossbeam configuration and the Checkpoint configured Manual NAT rule.
Please refer to the attached pdf that contains configurations for Checkpoint and Crossbeam as well as a network drawing.
Please refer to the attached pdf that contains configurations for Checkpoint and Crossbeam as well as a network drawing.
Workaround
N/A
Feedback
Yes
No
Powered by
