Updated 11th July 2017
Manual ARP in Firewall 1 NG
If you must use manual NAT rules on win 2000 (and later!), do the following:
c:\windows\fw1\R62\fw1\conf\local.arp file as per the format below.
2. Uncheck “Automatic Arp Configuration” in Global Properties
3. Check the setting under the Manual Nat settings in Global Properties.
4. You will need to add the static routes (see below on the firewall module for NAT.
5. Reinstall your policy.
6. Last but not least – reboot or just do a cpstop and a cpstart
local.arp should be formatted like this:
220.127.116.11 00-18-71-ec-39-59 18.104.22.168 00-18-71-ec-39-59 22.214.171.124 00-18-71-ec-39-59 126.96.36.199 00-18-71-ec-39-59
1.2.3.x are the external IP addresses you want to assign to the hosts.
00-18-71-ec-39-59 is the MAC address of your firewall external interface (the interface that is on the internet).
I’m afraid I have Windows only information here:
route -p add 188.8.131.52 mask 255.255.255.255 192.168.1.2 route -p add 184.108.40.206 mask 255.255.255.255 192.168.1.3 route -p add 220.127.116.11 mask 255.255.255.255 192.168.1.4 route -p add 18.104.22.168 mask 255.255.255.255 192.168.1.5
In the above example, the 192.168.1.x addresses are the internal hosts you want to direct traffic to.
Hairpin NAT configuration:
The above all works very well if your 192.168.1.x hosts sit in a DMZ on the firewall, however!
If you want to direct traffic to a host on the LAN segment, you need some additional NAT rule trickery.
You need to create a so called ‘hairpin’ NAT rule:
1) Do not translate between these networks: (Address translation tab)
2) Hairpin NAT (Address translation tab)
3) Inbound NAT rules (Address translation tab)
4) Hide NAT rules: (Address translation tab)
5) Inbound rules: (Security tab)