If you’re trying to configure a Static PAT/Port forwarding rule in Check Point and if it still isn’t working, then this post will help you to understand the reason behind it and also what additional configuration will be required to get it to work.
Adding a Static PAT/Port forwarding rule in Check Point is one hell of a task because Auto NAT in Check Point doesn’t allow you to specify any ports (unlike Cisco ASA’s Auto NAT post 8.3), so you have to use Manual NAT here . And to make that work you’ll also have to configure Static ARPs on the firewall.
The reason for manually configuring the ARP entry is because, when you use a Manual NAT to configure a Static PAT rule, the external interface of the firewall does not proxy ARP if the NAT IP (public IP) used for the internal server belongs to the connected subnet with your ISP.
As you can see in the diagram below, the NAT IP 126.96.36.199 to be used for the internal web server belongs to the connected subnet 188.8.131.52/24 between the firewall and the ISP edge router, so the firewall’s external interface will not Proxy ARP for any of the IPs in that subnet.
There are two solutions to this problem:-
1. Manually configure ARP entries on the firewall for each additional Public IP that you will use from the connected subnet for your servers.
2. Ask your ISP to point host routes towards your firewall for every public IP that you will be using for your servers. The /32 routes need to be statically routed over the same connected subnet.
Solution 1 – Manually configuring ARP entry on the firewall
Configuration for Check Point SPLAT device:-
Login into the expert mode:
[gw1]# expert Enter expert password: You are in expert mode now. [Expert@gw1]#
Adding a Static ARP entry:
[Expert@gw1]# /sbin/arp –s 184.108.40.206 00:0c:29:62:4c:67 pub
Deleting a Static ARP entry:
[Expert@gw1]# /sbin/arp –d 220.127.116.11
Looking up the ARP table:
[Expert@gw1]# /sbin/arp Address HWtype HWaddress Flags Mask Iface 192.168.2.99 ether 00:50:56:C0:00:09 C eth3 18.104.22.168 ether 00:0C:29:62:4C:67 MP eth0
Adding the ARP entry to the local.arp file to retain the entries even after the device is rebooted.
vi /$FWDIR/conf/local.arp i 22.214.171.124 00:0c:29:62:4c:67 :wq
Configuration for a Nokia box:-
Access the Voyager GUI > Config > ARP > add the ARP entry and select ‘Proxy Only’ type.
After adding the ARP entry in the Security Gateway, you also need to merge the manual ARP configuration with the ARPs automatically learnt by the firewall.
SmartDashboard > Policy > Global Properties > NAT > Check – Merge manual proxy ARP configuration
Once the ARP entry has been added you can configure the Manual NAT to perform the required PAT/Port forwarding.
SmartDashboard > NAT > Configure the Manual NAT (Nodes were already configured)
Solution 2 – Static route on the ISP’s edge router
This is actually considered to be an ideal solution as you don’t have to mess with the ARP entries in the firewall.
vyatta@Internet:~$ show ip route | match 1.1.1 C>* 126.96.36.199/24 is directly connected, eth0 S>* 188.8.131.52/32 [1/0] via 184.108.40.206, eth0
If you have the ISP adding host routes pointing to your firewall, then you need not add those static ARP entries.
Here’s more Check Point stuff that might interest you > https://networkology.net/tag/checkpoint/