Solved

Checkpoint Firewall - routing set of IPs through different router..

Posted on 2002-04-29
11
1,433 Views
Last Modified: 2013-11-16
hi guys,

I want to ask your advice how to make it possible with Checkpoint fw on Win NT/2000. What do I have to configure to make the FW route a (sub)set of the LAN IPs through another Router (B)?
Assuming this current topology:

             ISP1
               |
          Router A
               ---
                 |
              Firewall (no NAT)
                 |
                LAN

I want this new topology:


             ISP1     ISP2
               |       |
          Router A   Router B
               --------
                 |
              Firewall (no NAT)
                 |
                LAN

Please check through the list with me:

1. Add another NIC to FW (can I do this without
adding a NIC but rather specifying the next hop router,
A or B instead of the interface to go out?)
2. Configure static routing on NT box to route
subset IP traffic to router B?
Default for all other traffic would be router A.
3. ???

Pls advice...!

                 
0
Comment
Question by:Haho
  • 3
  • 3
  • 2
  • +3
11 Comments
 
LVL 11

Expert Comment

by:geoffryn
Comment Utility
Are you trying to load balance your client machines?  If I understand correctly, you want to forward all of the traffic from a subset of your LAN IPs to a different ISP.  Why?
0
 
LVL 1

Author Comment

by:Haho
Comment Utility
hi geoff

for some testing scenario where we want to divert some IPs to another link (Router B). Router A remains the default gateway. Please advice if this can be doen and how to go about it.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
You could let the router A (your default gateway) make that decision with route-maps/access-lists. Basically, any traffic from source X to destination Y goes to router B, else go out router A. Simple thing to do on a router, but alas, Windows/Checkpoint ain't a router.
0
 
LVL 11

Expert Comment

by:geoffryn
Comment Utility
That's a tough one.  As Lrmoore said Checkpoint is not really a router.  You might be able to accomplish this using by defining a network object for the range you want to divert and then NATing from inside to outside, but I cannot confirm that.  Never tried it.
0
 
LVL 1

Author Comment

by:Haho
Comment Utility
dear guys,

I understand that Checkpoint is not a router but it does really seem possible because I believe we can set up static routing in Windows NT/2000 for that few specific addresses, for eg.

0.0.0.0   router A  interface A
x.x.x.x   router B  interface B (the new NIC)

and setup Checkpoint for the appropriate rules..
seems logical to you guys?
Pls advice.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Yes, you can setup static routes per DESTINATION network. Your question was regarding routing by SOURCE. You can send all traffic destined for specific address x.x.x.x out to router B. Router A and router B can be on the same network and you would not need another physical NIC.
If you setup a static route to say 12.33.13.x to go to router B and setup a rule that only allows certain users/source IP addresses to go to that network, then nobody else would get there at all. How many foreign destination networks are you looking at setting up static routes for? You can have one and only one default.


C:>ROUTE ADD -P X.X.X.X MASK 255.255.255.0 <IP ADD OF RTR B>

syntax:
 route add -p (make it permanent) <foreign network> mask <foreign netmask> <gateway>

0
 
LVL 1

Expert Comment

by:ymash
Comment Utility
Listening
0
 
LVL 4

Expert Comment

by:jwalsh88
Comment Utility
Haho,

I am sorry I am jumping in to this kind of late, I am guessing that you are trying to make some "sub(set)" of your internal hosts use routerB(ISP2) for there outgoing internet.  If I am right , I just would like to ask why?  You realize this will get you almost nothing unless the host(s) using routerB are internet servers.  Unless I am missing something your public blocks of IP addresses are advertised out routerA through ISP1, right?  well most of your traffic should be incoming not outgoing.  So even if you send half the traffic out routerB, the overall majority of your traffic will still be coming across routerA.  And to answer your question, if you are trying to do policy based routing on checkpoint fw's you need floodgate-1 a QoS module from checkpoint for their fw's.  Again I dont see you getting any benifit by sending some of the traffic out another link unless you host alot of servers that get accessed from the internet.
0
 
LVL 13

Accepted Solution

by:
hstiles earned 100 total points
Comment Utility
Can't you just cheat?

You could, say define Router A as the default gateway for the firewall and simply modify the routing table on Router A to redirect traffic either to Router B or back to the firewall as required.
0
 
LVL 1

Author Comment

by:Haho
Comment Utility
That looks like a solution ! :)
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
How is the accepted solution different from what I suggested a month earlier - let the routers make those decisions....????
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now