In checkpoint if you have a manual NAT entry the firewall will not do proxy ARP, which means it will not answer to arp requests on the network where the NAT will take effect.
Solutions are:
- use automatic NAT rule
- there's article on Checkpoint support that describes on how to correctly add an entry to a file that the firewall will do the proxyARP, apparently different for single or Cluster XL
- define a static host route to the firewall from the other device.
In my case they forgot to that and the SYN traversed 2 firewalls but the SYN/ACK was lost due to one firewall not being able to find via ARP a MAC address to talk to.
No comments:
Post a Comment