GTKC Knowledgebase
A little bit of wisdom
How do I create manual ARP (for inbound NAT) entries in Checkpoint?
Posted by  Admin on


Updated 11th July 2017

Manual ARP in Firewall 1 NG

If you must use manual NAT rules on win 2000 (and later!), do the following:

1. Create c:\windows\fw1\R62\fw1\conf\local.arp file as per the format below.

2. Uncheck "Automatic Arp Configuration" in Global Properties

3. Check the setting under the Manual Nat settings in Global Properties.

4. You will need to add the static routes (see below on the firewall module for NAT.

5. Reinstall your policy.

6. Last but not least - reboot or just do a cpstop and a cpstart

local.arp should be formatted like this:

1.2.3.2		00-18-71-ec-39-59
1.2.3.3		00-18-71-ec-39-59
1.2.3.4		00-18-71-ec-39-59
1.2.3.5		00-18-71-ec-39-59


1.2.3.x are the external IP addresses you want to assign to the hosts.
00-18-71-ec-39-59 is the MAC address of your firewall external interface (the interface that is on the internet).

Adding routes:

I'm afraid I have Windows only information here:

route -p add 1.2.3.2 mask 255.255.255.255 192.168.1.2
route -p add 1.2.3.3 mask 255.255.255.255 192.168.1.3
route -p add 1.2.3.4 mask 255.255.255.255 192.168.1.4
route -p add 1.2.3.5 mask 255.255.255.255 192.168.1.5


In the above example, the 192.168.1.x addresses are the internal hosts you want to direct traffic to.

For hairpin NAT, see the hairpin NAT howto.




Tags: Checkpoint , Firewall , Windows

Return to home page: Home