?
Solved

How do I add a router in Checkpoint?

Posted on 2002-06-12
11
Medium Priority
?
289 Views
Last Modified: 2013-11-16
This is my scenario:

I have 95 & 2000 laptops dialing a Cisco 3600 on our LAN. Traffic here is monitored by Checkpoint V3 on NT.

LAN desktops can browse the internet via our parent company's proxy; the traffic simply routes over a leased line. The IP address for the default gateway on the LAN is 200.1.1.1 which is the router at our end of the leased line.

Trouble is, laptops that are dialled up cannot browse the internet. Doing a traceroute to any IP address on the other side of the router, results in the traffic stopping at 200.1.1.1

Presumably, I need to configure the FW to allow certain traffic to flow over the router, but how should I do it?
0
Comment
Question by:darrenwhite
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +4
11 Comments
 
LVL 11

Expert Comment

by:geoffryn
ID: 7073085
Are the IP addresses being assigned to the dialup clients NATed or on a different subnet than the LAN?  You may need to add a route.  Additionally, if the addresses are not contained in the network object of the FW then you will need to create a new object and assign it to the rule base.
0
 

Author Comment

by:darrenwhite
ID: 7075206
The IP remote IP addresses are on a different Subnet.
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 7075827
Then you should take a close look at how the network objects in FW-1 are configured and check the router to make sure that it has a route back to the remote subnet.
0
Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

 
LVL 17

Expert Comment

by:mikecr
ID: 7078840
Personally I wouldn't bring them back to the firewall. If your cisco is the gateway to the Checkpoint, I would put an access list on the router to put all traffic not destined for the internet thru the firewall from those dial in IP's. This way you only come thru the firewall for anything on the local lan and the rest would go to the internet. Your default route on the router would then take over and put them onto the internet. I think right now your routing them back into the lan but you don't have a route to put them back out thru the firewall onto the internet.
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 7103131
What did checkpoint customer support have to say?  That would be my first line of attack, considering how much $$ they make you pay for what is, IMO, a rather crappy device.

Cheers,
-Jon
0
 
LVL 1

Expert Comment

by:matt_t1
ID: 7151145
Darren,

I assume you are describing your RAS solution where users dial in to a 3600, which is then connected to your Firewall, which connects them through to the local LAN.  If this is the case then you have two things to consider for allowing the RAS users to get to the internet:  the firewall rules, and IP routing.

Assuming the firewall rules permit the RAS users (source=RAS IP, dest=Proxy server, service=http etc), then it is most likely a routing problem as geoffryn says.

There are now 2 ways you could solve this routing issue.  The first is to make sure that all the gateways between the RAS users and the proxy server have valid routes to both ends.  It's no use the RAS users being able to route traffic to the proxy if it then has no idea about how to get the replies back to them.  However, this will involve getting some kind of help from your parent company to check the routing on the proxy and on their gateways.

The way I would do this would be to use NAT on the RAS firewall to hide the real RAS ip addresses as local LAN addresses.  You would need to allocate a range of IP addresses on the local LAN that aren't used, and reserve them for the RAS translations.  You don't need to have a 1-to-1 relationship as you can NAT multiple RAS clients onto the same local LAN IP (even down to a single address).  In this case you would set up a NAT rule something like this:

Source            - RAS client IP address
Dest              - any
Service           - any
Translated Source - LAN address for RAS client NAT
Translated Dest   - Original
Translated Service- Original

Depending on your security rules setup, you may also need to add a security rule that permits both the real and NATted source addresses to access the net via the proxy server.

You then need to make sure that the firewall is offering a proxy ARP response for the NAT address, otherwise traffic won't make it back to the real clients.  I think CheckPoint deals with this automatically under NT, but I'd recommend checking www.phoneboy.com (or your firewall docs!) to be sure.

One thing - although it looks like it should work, don't be tempted to use the firewall's IP address on the local LAN as the RAS NAT address.  CheckPoint don't recommend it, and it can give you some really spooky problems.

One last thing - you said CheckPoint v3.  That's so old I've never even heard of it.  We are now up to "NG" (Next Generation, really just v5.0) Feature Pack 2, having spent a lot of time over the past couple of years with v4.0 and v4.1.  If you really are still on v3 then I would strongly recommend upgrading.  There are sure to be vulnerabilities out there cannot be fixed in 3, so you may me negating the whole point of having a firewall by running such a low version.

Because CP will try to get $$$ for the licenses if you do decide to upgrade, I would recommend that you look  at the firewall backwards.  It has a large number of IP addresses on one side (the inside local LAN), and a small number on the other side - limited to how many lines the router has for dial in.  I would suggest setting the "external" interface to be the internal LAN interface, and hence reducing the licensing costs to a license covering the number of RAS users you have.  You are then saved from the horrors of an "unlimited" CheckPoint moneyspinner.

I hope all of this helps,

Matt.
0
 
LVL 5

Expert Comment

by:zenlion420
ID: 9816007
This question has been classified as abandoned.  I will make a recommendation to the moderators on its resolution in approximately one week.  I would appreciate any comments by the experts that would help me in making a recommendation.

It is assumed that any participant not responding to this request is no longer interested in its final deposition.

If the asker does not know how to close the question, the options are here:
http://www.experts-exchange.com/help.jsp#hs5

zenlion420
EE Page Editor
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 9820941
I recommend split between Geoffryn and Matt, and PAQ it (I don't know much about checkpoint, but Matt and Geoff's comments sounded reasonable - they might work)

Cheers,
-Jon

0
 
LVL 5

Expert Comment

by:zenlion420
ID: 9872035
No comment has been added lately, so it's time to clean up this TA.
I will leave the following recommendation for this question in the Cleanup topic area:

PAQ - no points refunded

Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

zenlion420
EE Page Editor
0
 
LVL 5

Expert Comment

by:zenlion420
ID: 9872305
Sorry Captain.  I somehow missed your post when I was reading.  I stopped at my ping.  Anyway, if you would like this rec changed, let me know.

aloha,

j
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 9922482
PAQed - no points refunded (of 100)

modulo
Community Support Moderator
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: Justin
In light of the WannaCry ransomware attack that affected millions of Windows machines, you might wonder if your Mac needs protecting. Yes, it does and here is how to do it.
If you're a modern-day technology professional, you may be wondering if certifications are really necessary. They are. Here's why.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question