How do i create manual ARP (for inbound NAT) entries in Checkpoint?

Updated 11th July 2017

Manual ARP in Firewall 1 NG

If you must use manual NAT rules on win 2000 (and later!), do the following:

1. Create c:\windows\fw1\R62\fw1\conf\local.arp file as per the format below.

2. Uncheck “Automatic Arp Configuration” in Global Properties

3. Check the setting under the Manual Nat settings in Global Properties.

4. You will need to add the static routes (see below on the firewall module for NAT.

5. Reinstall your policy.

6. Last but not least – reboot or just do a cpstop and a cpstart

local.arp should be formatted like this:		00-18-71-ec-39-59		00-18-71-ec-39-59		00-18-71-ec-39-59		00-18-71-ec-39-59

1.2.3.x are the external IP addresses you want to assign to the hosts.
00-18-71-ec-39-59 is the MAC address of your firewall external interface (the interface that is on the internet).

Adding routes:

I’m afraid I have Windows only information here:

route -p add mask
route -p add mask
route -p add mask
route -p add mask

In the above example, the 192.168.1.x addresses are the internal hosts you want to direct traffic to.

Hairpin NAT configuration:

The above all works very well if your 192.168.1.x hosts sit in a DMZ on the firewall, however!

If you want to direct traffic to a host on the LAN segment, you need some additional NAT rule trickery.

You need to create a so called ‘hairpin’ NAT rule:

NAT rules:

1) Do not translate between these networks: (Address translation tab)

Checkpoint do not translate rules

2) Hairpin NAT (Address translation tab)

Checkpoint Hairpin NAT

3) Inbound NAT rules (Address translation tab)

Checkpoint Inbound NAT

4) Hide NAT rules: (Address translation tab)

Checkpoint hide NAT

5) Inbound rules: (Security tab)

Checkpoint inbound rules

admin has written 90 articles