Solved

Checkpoint Firewall - routing set of IPs through different router..

Posted on 2002-04-29
11
1,454 Views
Last Modified: 2013-11-16
hi guys,

I want to ask your advice how to make it possible with Checkpoint fw on Win NT/2000. What do I have to configure to make the FW route a (sub)set of the LAN IPs through another Router (B)?
Assuming this current topology:

             ISP1
               |
          Router A
               ---
                 |
              Firewall (no NAT)
                 |
                LAN

I want this new topology:


             ISP1     ISP2
               |       |
          Router A   Router B
               --------
                 |
              Firewall (no NAT)
                 |
                LAN

Please check through the list with me:

1. Add another NIC to FW (can I do this without
adding a NIC but rather specifying the next hop router,
A or B instead of the interface to go out?)
2. Configure static routing on NT box to route
subset IP traffic to router B?
Default for all other traffic would be router A.
3. ???

Pls advice...!

                 
0
Comment
Question by:Haho
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +3
11 Comments
 
LVL 11

Expert Comment

by:geoffryn
ID: 6977822
Are you trying to load balance your client machines?  If I understand correctly, you want to forward all of the traffic from a subset of your LAN IPs to a different ISP.  Why?
0
 
LVL 1

Author Comment

by:Haho
ID: 6979195
hi geoff

for some testing scenario where we want to divert some IPs to another link (Router B). Router A remains the default gateway. Please advice if this can be doen and how to go about it.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 6980381
You could let the router A (your default gateway) make that decision with route-maps/access-lists. Basically, any traffic from source X to destination Y goes to router B, else go out router A. Simple thing to do on a router, but alas, Windows/Checkpoint ain't a router.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 11

Expert Comment

by:geoffryn
ID: 6980858
That's a tough one.  As Lrmoore said Checkpoint is not really a router.  You might be able to accomplish this using by defining a network object for the range you want to divert and then NATing from inside to outside, but I cannot confirm that.  Never tried it.
0
 
LVL 1

Author Comment

by:Haho
ID: 6982981
dear guys,

I understand that Checkpoint is not a router but it does really seem possible because I believe we can set up static routing in Windows NT/2000 for that few specific addresses, for eg.

0.0.0.0   router A  interface A
x.x.x.x   router B  interface B (the new NIC)

and setup Checkpoint for the appropriate rules..
seems logical to you guys?
Pls advice.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 6983073
Yes, you can setup static routes per DESTINATION network. Your question was regarding routing by SOURCE. You can send all traffic destined for specific address x.x.x.x out to router B. Router A and router B can be on the same network and you would not need another physical NIC.
If you setup a static route to say 12.33.13.x to go to router B and setup a rule that only allows certain users/source IP addresses to go to that network, then nobody else would get there at all. How many foreign destination networks are you looking at setting up static routes for? You can have one and only one default.


C:>ROUTE ADD -P X.X.X.X MASK 255.255.255.0 <IP ADD OF RTR B>

syntax:
 route add -p (make it permanent) <foreign network> mask <foreign netmask> <gateway>

0
 
LVL 1

Expert Comment

by:ymash
ID: 6992284
Listening
0
 
LVL 4

Expert Comment

by:jwalsh88
ID: 6992323
Haho,

I am sorry I am jumping in to this kind of late, I am guessing that you are trying to make some "sub(set)" of your internal hosts use routerB(ISP2) for there outgoing internet.  If I am right , I just would like to ask why?  You realize this will get you almost nothing unless the host(s) using routerB are internet servers.  Unless I am missing something your public blocks of IP addresses are advertised out routerA through ISP1, right?  well most of your traffic should be incoming not outgoing.  So even if you send half the traffic out routerB, the overall majority of your traffic will still be coming across routerA.  And to answer your question, if you are trying to do policy based routing on checkpoint fw's you need floodgate-1 a QoS module from checkpoint for their fw's.  Again I dont see you getting any benifit by sending some of the traffic out another link unless you host alot of servers that get accessed from the internet.
0
 
LVL 13

Accepted Solution

by:
hstiles earned 100 total points
ID: 7011428
Can't you just cheat?

You could, say define Router A as the default gateway for the firewall and simply modify the routing table on Router A to redirect traffic either to Router B or back to the firewall as required.
0
 
LVL 1

Author Comment

by:Haho
ID: 7029044
That looks like a solution ! :)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 7029900
How is the accepted solution different from what I suggested a month earlier - let the routers make those decisions....????
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Liquid Web and Plesk discuss how to simplify server management with a single tool  in their webinar.
Email attacks are the most common methods for initiating ransomware and phishing scams. Attackers want you to open an infected attachment or click a malicious link, and unwittingly download malware to your machine. Here are 7 ways you can stay safe.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question