SPLAT – Proxy ARP

How do I configure proxy ARP on my SPLAT firewall ? 

There are 2 ways to get a packet to a firewall. A Route or a Proxy ARP. Using routes is the perferred method but it may be the case where you havent access to the routers and need to use Proxy ARP.

Please note: that even if you are using routes rather than Proxy ARPs the below still applies regarding having to add routes for the pretranslated addresses when using SPLAT as the Operating System.

When a router receives a packet it looks at the destination address to check whether it has a destination address that is within the subnets of any of interfaces. If it has, it will ARP for the address out the subsquent interface. In the case of NAT. The host isnt actually on this subnet. So we need the firewall to respond to this ARP so the packet is then routed to the firewall. The firewall can then NAT the destination address and send it to the real host.

In the case of SPLAT you will need to add both a static route and a static ARP entry. The route is required for SPLAT just as if you were adding a route for Server Side NAT. i.e a route for the pretranslated address.

To do this you will need to add the following on the command line

/sbin/arp -s [REAL IP] [ADVERTISING INTERFACE MAC] -i [ADVERTISING INTERFACE] pub
/sbin/route add -host [NAT IP] gateway [REAL IP]

Then also add this static arp to the file /$FWDIR/local.arp and use the command “route –save” to save the route. This will ensure that the changes arent removed after a reboot.
Also to remove an ARP entry you can enter,

/sbin/arp -i [ADVERTISING INTERFACE] -d [REAL IP]

Note : When adding the route you will need to add the next hop IP, whether it be the real IP address of the host or a layer 2 device which will then route the traffic on.

route add -host [NAT IP] gateway [Router IP/Host Real IP]

Additional Resources:

• Configuring Proxy ARP for Manual NAT – sk30197
• Configuring Proxy ARP on SecurePlatform – sk25851 

• Author
• Recent Posts

Rick Donato

Rick Donato is a Network Automation Architect/Evangelist and the founder of Packet Coders.

Latest posts by Rick Donato (see all)

• How to Configure a BIND Server on Ubuntu - March 15, 2018
• What is a BGP Confederation? - March 6, 2018
• Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial