I think you need to add a host route in addition to make manual NAT work on Linux. See below from Checkpoint (I think you'll just need step 2) -
The Automatic ARP feature is not supported on Linux platforms in NG, NG FP1, and NG FP2. Upgrade to NG FP3 or higher. (Please note that Automatic ARP does not apply when using manual NAT rules. Therefore, if using manual NAT rules, you will still need to use the following workaround.) Workaround: These steps are applicable to Linux kernel version 2.x, including Check Point's SecurePlatform. 1) Configure the Linux kernel to enable proxy arp using the following command: echo 1 > /proc/sys/net/ipv4/conf/<if_name>/proxy_arp ...where <if_name> is the name of the external interface, for example: eth0 This command should be added to one of the startup scripts, such as rc.local, in order to survive a reboot. 2) Add a host route for the Static NAT ip address using the internal ip address of the host (or next hop) as the gateway: route add -host <Static_NAT_ip_addr> gateway <internal_ip_addr> This should also be added to a startup script, or in the case of SecurePlatform, a permanent route can be added using the sysconfig utility. 3) The above 2 steps should be sufficient to enable proxy arp to function for your Static NAT configuration, since the linux kernel is designed to be intelligent enough to proxy arp for ip addresses in its routing table. However, if it becomes necessary to add a proxy arp entry, use the following command: arp -s <Static_NAT_ip_addr> <FireWall_external_MAC_addr> pub -----Original Message----- From: Scott Friedman [mailto:[EMAIL PROTECTED] Sent: 14 October 2003 02:10 To: [EMAIL PROTECTED] Subject: [FW-1] Proxy ARP on Linux with Hide NAT Got a question, hope someone can shed some light. Got a client with CheckPoint NG-AI running on Red Hat 7.3 (kernel 2.4.18-5smp) Trying to setup a specific NAT out one interface only for one destination, but I can't get the Firewall to answer the ARP requests from the router. <firewall> ---<crossover cable>-- <Cisco 1720> -- T1 External Firewall IP is 192.168.0.2 Facing side of Router is 192.168.0.5 Trying to Hide NAT behind 192.168.0.9. ARP -a: ? (192.168.0.9) at * PERM PUP on eth2 Command used to add ARP: arp -v -n -i eth2 -s 192.168.0.9 00:E0:81:23:39:47 pub verified that /proc/sys/net/ipv4/conf/eth2/proxy_arp is set to 1 When the session initiates, here's what I see on the tcpdump -i eth2 21:00:32.492308 arp who-has 192.168.0.5 tell 192.168.0.2 21:00:32.493096 arp reply 192.168.0.5 is-at 0:9:7c:a3:a5:fd 21:00:32.493126 172.20.17.21.1760 > poly4.siteremoved.com.http: S 3536652485:3536652485(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) 21:00:32.803609 arp who-has 192.168.0.9 tell 192.168.0.5 21:00:35.477799 172.20.17.21.1760 > poly4.siteremoved.com.http: S 3536652485:3536652485(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) 21:00:35.788166 arp who-has 192.168.0.9 tell 192.168.0.5 Notice how the who-has 192.168.0.9 never get answered.. on the router (which I don't control) show arp says "incomplete" for 192.168.0.9. We can't add a static ARP on the router (politics, ya know) Hope someone can shed some light on this... And of course, we're using manual nat since this nat goes out the non-internet interface, and the local net is automatic hide-natted through the internet interface (different ip than this connection) Thanks Scott ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ------------------------------------------------------------------------------ The opinions expressed within this email represent those of the individual and not necessarily those of Gullivers Travel Associates (GTA). This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify [EMAIL PROTECTED] Should you wish to use email as a form of communication, GTA are unable to guarantee the security of email content outside of our own computer systems. ________________________________________________________________________ This email has been scanned for all viruses by the MessageLabs Email Security System. For more information on a proactive email security service working around the clock, around the globe, visit http://www.messagelabs.com ________________________________________________________________________ ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
