Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 298
  • Last Modified:

How do I add a router in Checkpoint?

This is my scenario:

I have 95 & 2000 laptops dialing a Cisco 3600 on our LAN. Traffic here is monitored by Checkpoint V3 on NT.

LAN desktops can browse the internet via our parent company's proxy; the traffic simply routes over a leased line. The IP address for the default gateway on the LAN is 200.1.1.1 which is the router at our end of the leased line.

Trouble is, laptops that are dialled up cannot browse the internet. Doing a traceroute to any IP address on the other side of the router, results in the traffic stopping at 200.1.1.1

Presumably, I need to configure the FW to allow certain traffic to flow over the router, but how should I do it?
0
darrenwhite
Asked:
darrenwhite
  • 3
  • 2
  • 2
  • +4
1 Solution
 
geoffrynCommented:
Are the IP addresses being assigned to the dialup clients NATed or on a different subnet than the LAN?  You may need to add a route.  Additionally, if the addresses are not contained in the network object of the FW then you will need to create a new object and assign it to the rule base.
0
 
darrenwhiteAuthor Commented:
The IP remote IP addresses are on a different Subnet.
0
 
geoffrynCommented:
Then you should take a close look at how the network objects in FW-1 are configured and check the router to make sure that it has a route back to the remote subnet.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
mikecrCommented:
Personally I wouldn't bring them back to the firewall. If your cisco is the gateway to the Checkpoint, I would put an access list on the router to put all traffic not destined for the internet thru the firewall from those dial in IP's. This way you only come thru the firewall for anything on the local lan and the rest would go to the internet. Your default route on the router would then take over and put them onto the internet. I think right now your routing them back into the lan but you don't have a route to put them back out thru the firewall onto the internet.
0
 
The--CaptainCommented:
What did checkpoint customer support have to say?  That would be my first line of attack, considering how much $$ they make you pay for what is, IMO, a rather crappy device.

Cheers,
-Jon
0
 
matt_t1Commented:
Darren,

I assume you are describing your RAS solution where users dial in to a 3600, which is then connected to your Firewall, which connects them through to the local LAN.  If this is the case then you have two things to consider for allowing the RAS users to get to the internet:  the firewall rules, and IP routing.

Assuming the firewall rules permit the RAS users (source=RAS IP, dest=Proxy server, service=http etc), then it is most likely a routing problem as geoffryn says.

There are now 2 ways you could solve this routing issue.  The first is to make sure that all the gateways between the RAS users and the proxy server have valid routes to both ends.  It's no use the RAS users being able to route traffic to the proxy if it then has no idea about how to get the replies back to them.  However, this will involve getting some kind of help from your parent company to check the routing on the proxy and on their gateways.

The way I would do this would be to use NAT on the RAS firewall to hide the real RAS ip addresses as local LAN addresses.  You would need to allocate a range of IP addresses on the local LAN that aren't used, and reserve them for the RAS translations.  You don't need to have a 1-to-1 relationship as you can NAT multiple RAS clients onto the same local LAN IP (even down to a single address).  In this case you would set up a NAT rule something like this:

Source            - RAS client IP address
Dest              - any
Service           - any
Translated Source - LAN address for RAS client NAT
Translated Dest   - Original
Translated Service- Original

Depending on your security rules setup, you may also need to add a security rule that permits both the real and NATted source addresses to access the net via the proxy server.

You then need to make sure that the firewall is offering a proxy ARP response for the NAT address, otherwise traffic won't make it back to the real clients.  I think CheckPoint deals with this automatically under NT, but I'd recommend checking www.phoneboy.com (or your firewall docs!) to be sure.

One thing - although it looks like it should work, don't be tempted to use the firewall's IP address on the local LAN as the RAS NAT address.  CheckPoint don't recommend it, and it can give you some really spooky problems.

One last thing - you said CheckPoint v3.  That's so old I've never even heard of it.  We are now up to "NG" (Next Generation, really just v5.0) Feature Pack 2, having spent a lot of time over the past couple of years with v4.0 and v4.1.  If you really are still on v3 then I would strongly recommend upgrading.  There are sure to be vulnerabilities out there cannot be fixed in 3, so you may me negating the whole point of having a firewall by running such a low version.

Because CP will try to get $$$ for the licenses if you do decide to upgrade, I would recommend that you look  at the firewall backwards.  It has a large number of IP addresses on one side (the inside local LAN), and a small number on the other side - limited to how many lines the router has for dial in.  I would suggest setting the "external" interface to be the internal LAN interface, and hence reducing the licensing costs to a license covering the number of RAS users you have.  You are then saved from the horrors of an "unlimited" CheckPoint moneyspinner.

I hope all of this helps,

Matt.
0
 
zenlion420Commented:
This question has been classified as abandoned.  I will make a recommendation to the moderators on its resolution in approximately one week.  I would appreciate any comments by the experts that would help me in making a recommendation.

It is assumed that any participant not responding to this request is no longer interested in its final deposition.

If the asker does not know how to close the question, the options are here:
http://www.experts-exchange.com/help.jsp#hs5

zenlion420
EE Page Editor
0
 
The--CaptainCommented:
I recommend split between Geoffryn and Matt, and PAQ it (I don't know much about checkpoint, but Matt and Geoff's comments sounded reasonable - they might work)

Cheers,
-Jon

0
 
zenlion420Commented:
No comment has been added lately, so it's time to clean up this TA.
I will leave the following recommendation for this question in the Cleanup topic area:

PAQ - no points refunded

Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

zenlion420
EE Page Editor
0
 
zenlion420Commented:
Sorry Captain.  I somehow missed your post when I was reading.  I stopped at my ping.  Anyway, if you would like this rec changed, let me know.

aloha,

j
0
 
moduloCommented:
PAQed - no points refunded (of 100)

modulo
Community Support Moderator
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 3
  • 2
  • 2
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now