Adding the VIP's causes the box to arp for those IP's, it is not an efficient way to achieve manual proxy arps. For the need of manual proxy arps depends on whether you are doing automatic static NAT rules with the global props/NAT set to do automatic arp configuration for automatic NAT rules or manual NAT rules. Manual proxy arps are configured differently depending on OS, for Nokia set them up in voyager under the arp section, splat and windows needs the creation of the local.arp file, crossbeam COS was the only system I ran into that did not have a manual proxy arp option and you had to add the VIP's to vrrp for proxy arp’ing.
-GS ________________________________ From: Peter Addy <[email protected]> To: [email protected] Sent: Wed, October 28, 2009 10:44:17 AM Subject: Re: [FW-1] Urgent Arp for NAT addresses, firewall not arping for NAT adressess hi so are you sayign that if the object underthe nat tab is configured then we have to set proxy arp or have mannual entries in the local.arp? the previous vrrp set up had all the entires as backup addressess, not sure how this worked? --- On Wed, 10/28/09, Independent IT Consultant <[email protected]> wrote: From: Independent IT Consultant <[email protected]> Subject: Re: [FW-1] Urgent Arp for NAT addresses, firewall not arping for NAT adressess To: [email protected] Date: Wednesday, October 28, 2009, 1:25 PM Generally speaking, you need to define proxy ARP or local ARP for any NAT that is a manually-defined NAT; if you directly edited the entries in NAT tab, you're using manual NAT. On Wed, Oct 28, 2009 at 7:08 AM, Peter Addy <[email protected]> wrote: > Hi > > > > Can anyone please help urgently!! > > > > New firewalls in place running Nokia NGX R65 from NGX R61 > > > > the old devices were configured with vrrp addresses for all the Nat objects > so > there were quite a few vrrp backup addresses for each interface. > > > > The new firewalls have only 5 backup addresses, and it appears that some > connections are not working so we have to put in a manual proxy Arp, i > thought > the firewall would auto Arp for the NAT addresses. > > > > Not sure why all the NAT addresses would need to go into the vrrp config, > never > seen this before. > > > > Why is the firewall not arp'ng for the NAT addresses, don't really want to > put > all the addresses in vrrp as this should not be required and don't want to > manually add in loads of proxy arp entries unless we have to, has anyone > come > across this before, any help would be appreciated > > > > Thanks > > > > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
