Proxy arp : set arp nat-dst

  • Hi,

    i set up nat dst on a firewall with 2 zones :
    trust zone
    test zone
    I have a PC in trust zone, and i want it to be reachable from the test zone.
    I set up nat-dst but it doesn’t work.

    I set up the “set arp nat-dst” but it still doesn’t work.
    If i add an entry in arp cache with the translated ip (vip) associated with the firewall mac address, it works fine.

    Do you know why this ***** command "set arp nat-dst’ doesn’t work ? is it because the proxy arp is not on the untrsut interface but another one ?

    thx for your help

  • Hi,

    thanks for the answers.

    I need to use another zone than untrust zone.
    So the only way, is to set up the entries manually ?

  • Actually I looked this up and didn’t see any info. Then I took a look at my own device and realized that the command you mention “set arp nat-dst” is actually a hidden command. That means that no documentation. So likely this something that doesn’t work for all scenarios. Try using “untrust” zone instead of a custom zone.

  • I would need to verify this, but I seem to recall something about “set arp nat-dst” only applying to predefined zone “untrust” only. Check C&E guides and release notes to confirm this.