Solved

Checkpoint Firewall - routing set of IPs through different router..

Posted on 2002-04-29
11
1,446 Views
Last Modified: 2013-11-16
hi guys,

I want to ask your advice how to make it possible with Checkpoint fw on Win NT/2000. What do I have to configure to make the FW route a (sub)set of the LAN IPs through another Router (B)?
Assuming this current topology:

             ISP1
               |
          Router A
               ---
                 |
              Firewall (no NAT)
                 |
                LAN

I want this new topology:


             ISP1     ISP2
               |       |
          Router A   Router B
               --------
                 |
              Firewall (no NAT)
                 |
                LAN

Please check through the list with me:

1. Add another NIC to FW (can I do this without
adding a NIC but rather specifying the next hop router,
A or B instead of the interface to go out?)
2. Configure static routing on NT box to route
subset IP traffic to router B?
Default for all other traffic would be router A.
3. ???

Pls advice...!

                 
0
Comment
Question by:Haho
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +3
11 Comments
 
LVL 11

Expert Comment

by:geoffryn
ID: 6977822
Are you trying to load balance your client machines?  If I understand correctly, you want to forward all of the traffic from a subset of your LAN IPs to a different ISP.  Why?
0
 
LVL 1

Author Comment

by:Haho
ID: 6979195
hi geoff

for some testing scenario where we want to divert some IPs to another link (Router B). Router A remains the default gateway. Please advice if this can be doen and how to go about it.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 6980381
You could let the router A (your default gateway) make that decision with route-maps/access-lists. Basically, any traffic from source X to destination Y goes to router B, else go out router A. Simple thing to do on a router, but alas, Windows/Checkpoint ain't a router.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 11

Expert Comment

by:geoffryn
ID: 6980858
That's a tough one.  As Lrmoore said Checkpoint is not really a router.  You might be able to accomplish this using by defining a network object for the range you want to divert and then NATing from inside to outside, but I cannot confirm that.  Never tried it.
0
 
LVL 1

Author Comment

by:Haho
ID: 6982981
dear guys,

I understand that Checkpoint is not a router but it does really seem possible because I believe we can set up static routing in Windows NT/2000 for that few specific addresses, for eg.

0.0.0.0   router A  interface A
x.x.x.x   router B  interface B (the new NIC)

and setup Checkpoint for the appropriate rules..
seems logical to you guys?
Pls advice.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 6983073
Yes, you can setup static routes per DESTINATION network. Your question was regarding routing by SOURCE. You can send all traffic destined for specific address x.x.x.x out to router B. Router A and router B can be on the same network and you would not need another physical NIC.
If you setup a static route to say 12.33.13.x to go to router B and setup a rule that only allows certain users/source IP addresses to go to that network, then nobody else would get there at all. How many foreign destination networks are you looking at setting up static routes for? You can have one and only one default.


C:>ROUTE ADD -P X.X.X.X MASK 255.255.255.0 <IP ADD OF RTR B>

syntax:
 route add -p (make it permanent) <foreign network> mask <foreign netmask> <gateway>

0
 
LVL 1

Expert Comment

by:ymash
ID: 6992284
Listening
0
 
LVL 4

Expert Comment

by:jwalsh88
ID: 6992323
Haho,

I am sorry I am jumping in to this kind of late, I am guessing that you are trying to make some "sub(set)" of your internal hosts use routerB(ISP2) for there outgoing internet.  If I am right , I just would like to ask why?  You realize this will get you almost nothing unless the host(s) using routerB are internet servers.  Unless I am missing something your public blocks of IP addresses are advertised out routerA through ISP1, right?  well most of your traffic should be incoming not outgoing.  So even if you send half the traffic out routerB, the overall majority of your traffic will still be coming across routerA.  And to answer your question, if you are trying to do policy based routing on checkpoint fw's you need floodgate-1 a QoS module from checkpoint for their fw's.  Again I dont see you getting any benifit by sending some of the traffic out another link unless you host alot of servers that get accessed from the internet.
0
 
LVL 13

Accepted Solution

by:
hstiles earned 100 total points
ID: 7011428
Can't you just cheat?

You could, say define Router A as the default gateway for the firewall and simply modify the routing table on Router A to redirect traffic either to Router B or back to the firewall as required.
0
 
LVL 1

Author Comment

by:Haho
ID: 7029044
That looks like a solution ! :)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 7029900
How is the accepted solution different from what I suggested a month earlier - let the routers make those decisions....????
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware continues to grow in reach and sophistication, putting data everywhere at risk. Learn how to avoid being caught in its sinister clutches with these 11 key tips.
Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question