Static mapping not working in CheckPoint

I have a Checkpoint Firewall1 server and an application that I need to access from the Internet.  I am not using VPN (yet).  I set up a one-to-one static mapping for the server, by basically creating 2 network objects:

AS400-Int = 10.0.0.2
AS400-Ext = <public ip>

Then I set up a rule specifying that anyone can access this machine at the public address using TCP 1375 at the public address.  I then set up a route entry

ROUTE -P ADD <public ip> 10.0.0.2

I installed the policy, but it does not seem to be working.  I was told that I had to associate the public ip with the MAC address of the server.  How is this done? (I don't remember).  Is this the problem?
SilasAsked:
Who is Participating?
 
SpideyModConnect With a Mentor Commented:
Administrative Action: PAQ'd and all 50 points NOT refunded.

SpideyMod
Community Support Moderator @Experts Exchange
0
 
jwalsh88Commented:
You do not need a route you need to make a static ARP entry on the firewall.
0
 
jwalsh88Commented:
If you need to know how to do this , let me know and let me know what type of system this is.  

Just so you know, the firewall will need a route statement like the one you used if it doesn't already know how to get to the network that the internal hosts resides on.  In other words, if it doesn't already have a static route to that network then you need to create a host route on the firewall.  It won't hurt anything to create a route for all Static NATs, so you might want to do that.  But the reason that it is not working is because you need to create the Static ARP entry on the firewall to allow the firewall to answer requests for that IP address.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
bsadlickCommented:
I have not had to add arp entries to my firewall to get this configuration to work. In addition to the static routes on the firewall, I have had to add routes on my protected hosts so that they know how to route back to the Internet.

Is your as/400 getting the traffic from your FW? Does it know where to route back to?
0
 
geoffrynCommented:
You need to modify the local.arp file with the MAC address of the server.  Do a search for Proxy ARP at www.phoneboy.com
0
 
SilasAuthor Commented:
I will try the local.arp file and let you know.  If anyone has used SonicWall firewalls, please see my other question in this section.
0
 
Tim HolmanCommented:
If platform = NT, then you need local.arp
If platform = Win 2000, it won't work...
The easiest way to create 121 NAT is to create the internal object, click on the NAT tab, and add automatic rule using the valid IP address of the object.
0
 
jwalsh88Commented:
Be careful with that, even checkpoint themselves will tell you to never use the automatic NAT capabilities especially when creating a one to one static mapping.  reason is you can't control the NATing and when it's done in the Address Translation rule base.
0
 
Tim HolmanCommented:
Automatic NAT rules are simple to setup and work fine in simple situations.
If you need to troubleshoot, however, create them manually using the auto rules as a guideline, as auto rules won't log.
Auto rules also do not work very well when you've got lots of firewall objects, as they will get installed on ALL firewall objects by default.


0
 
bsadlickCommented:
You need to set up the NAT rule for the external address. So for your AS400-Ext, under the NAT tab set the type to static, and the address is the internal address. Verify that the NAT rule exists. That should look like:

Any   AS400-Ext  Any  Any  AS400-Int  Any

Also make sure that your security policy rule uses the external object. So the rule should be:

Any   AS400-Ext  Any  Accept

Hope this helps
0
 
klalakomacoiCommented:
You can always put the proxy arp mappings in your router instead.  we currently stick them in local.arp, but in times past we had them in our internet router.  I never noticed any difference in performance or reliability, and i am unaware of any compelling reason to prefer one method over the other, but they both work.
0
 
mangiaCommented:
If you have this;

|internet|
|
|
|router|
|
|
|firewall|
|
|
|web server|

Requests from the Internet need to resolve the MAC address for the next hop.  The MAC address is locally significant only.  The firewall needs to be configured to reply with its own MAC address when queried for the MAC address of the NATed web server address.

0
 
jwalsh88Commented:
Silas, not sure if you are still looking at this but here is how it goes.  you need the router to think the IP address of the AS400's public address is tied to the MAC address of the firewall's external interface.  This can be done in two ways but MUST be done in one of the two ways.  You can add a static ARP entry on the router or you can publish the ARP using a proxy ARP on the firewall.  you will also need a route to AS400's external IP address with a gateway of the AS400's internal IP address added on the firewall.  besides that you just simply need to add a one to one static NAT rule in the NAT policy.  like this:

Src     Dest   Srv    Src     Dest  Srv
=======================================
AS400-int  any  any  AS400-ext  any any
any  AS400-ext  any  any  AS400-int any
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.