Check Point VSX manual proxy arp configurationWhen configuring NAT on VSX it is necessary to resolve the MAC address for NATed IPs to allow proper communication on Ethernet networks.
This solution describes how to use a manual proxy ARP configuration with the Check Point VSX application on a Crossbeam Platform.
In the VSX environment and when the Virtual System (VS) is not attached to a Virtual Router, the customer may want to configure a virtual NAT address which is located on the same subnet as the physical interface.
The network configuration would be, for example:
The NAT address would be 192.168.1.10 and would be attached to the same subnet of the physical IP 192.168.1.1
The only way to resolve the MAC address for the NATed address is to use a
Due to the nature of VSX and its automatic provisioning method of the Crossbeam components, the easiest solution is to perform a local configuration for the Check Point automatic-arp configuration.
In order to have the proxy ARP functionnality from Check Point activated, you can perform the following actions for a given VS on which you need to activate NAT.
1. Identify the MAC-address you want to reply with for a given IP address
show vrrp virtual-router
show ip-mapping then show interface xxx
2. Identify the VS ID on which you need to activate the specific ARP address
vsx stat -v
The VSX Stat output
ID | Type & Name | Security Policy | Installed at | SIC Stat -----+-----------------------+-----------------+-----------------+--------- 1 | S CBS_testvapgroup_1 | Standard | 25Aug2009 14:54 | Trust
3. move into the directory structure for the VS1
local.arp file with the structure described below
<NAT IP> <VRRP MAC address of external interface of Firewall> <vrrp ip address of the Firewall interface> 192.168.1.10 00:00:5E:00:00:0E 192.168.1.1
Note: 192.168.1.10: corresponds to the NAT address 00:00:5E:00:00:0E corresponds to the MAC address which needs to be answered for this IP. 192.168.1.1: corresponds to the interface address (entered into VSX)
Perform the same action on each VAP in theVAP group and all VAPs in the cluster
Set in the Smartdashboard Policy/Global Properties/NAT
Enable : Automatic ARP and Merge manual proxy ARP configuration
4. Push the security policy
5. Check ARP entry on APM, VS1