Solved

How do I add a router in Checkpoint?

Posted on 2002-06-12
11
276 Views
Last Modified: 2013-11-16
This is my scenario:

I have 95 & 2000 laptops dialing a Cisco 3600 on our LAN. Traffic here is monitored by Checkpoint V3 on NT.

LAN desktops can browse the internet via our parent company's proxy; the traffic simply routes over a leased line. The IP address for the default gateway on the LAN is 200.1.1.1 which is the router at our end of the leased line.

Trouble is, laptops that are dialled up cannot browse the internet. Doing a traceroute to any IP address on the other side of the router, results in the traffic stopping at 200.1.1.1

Presumably, I need to configure the FW to allow certain traffic to flow over the router, but how should I do it?
0
Comment
Question by:darrenwhite
  • 3
  • 2
  • 2
  • +4
11 Comments
 
LVL 11

Expert Comment

by:geoffryn
Comment Utility
Are the IP addresses being assigned to the dialup clients NATed or on a different subnet than the LAN?  You may need to add a route.  Additionally, if the addresses are not contained in the network object of the FW then you will need to create a new object and assign it to the rule base.
0
 

Author Comment

by:darrenwhite
Comment Utility
The IP remote IP addresses are on a different Subnet.
0
 
LVL 11

Expert Comment

by:geoffryn
Comment Utility
Then you should take a close look at how the network objects in FW-1 are configured and check the router to make sure that it has a route back to the remote subnet.
0
 
LVL 17

Expert Comment

by:mikecr
Comment Utility
Personally I wouldn't bring them back to the firewall. If your cisco is the gateway to the Checkpoint, I would put an access list on the router to put all traffic not destined for the internet thru the firewall from those dial in IP's. This way you only come thru the firewall for anything on the local lan and the rest would go to the internet. Your default route on the router would then take over and put them onto the internet. I think right now your routing them back into the lan but you don't have a route to put them back out thru the firewall onto the internet.
0
 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
What did checkpoint customer support have to say?  That would be my first line of attack, considering how much $$ they make you pay for what is, IMO, a rather crappy device.

Cheers,
-Jon
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 1

Expert Comment

by:matt_t1
Comment Utility
Darren,

I assume you are describing your RAS solution where users dial in to a 3600, which is then connected to your Firewall, which connects them through to the local LAN.  If this is the case then you have two things to consider for allowing the RAS users to get to the internet:  the firewall rules, and IP routing.

Assuming the firewall rules permit the RAS users (source=RAS IP, dest=Proxy server, service=http etc), then it is most likely a routing problem as geoffryn says.

There are now 2 ways you could solve this routing issue.  The first is to make sure that all the gateways between the RAS users and the proxy server have valid routes to both ends.  It's no use the RAS users being able to route traffic to the proxy if it then has no idea about how to get the replies back to them.  However, this will involve getting some kind of help from your parent company to check the routing on the proxy and on their gateways.

The way I would do this would be to use NAT on the RAS firewall to hide the real RAS ip addresses as local LAN addresses.  You would need to allocate a range of IP addresses on the local LAN that aren't used, and reserve them for the RAS translations.  You don't need to have a 1-to-1 relationship as you can NAT multiple RAS clients onto the same local LAN IP (even down to a single address).  In this case you would set up a NAT rule something like this:

Source            - RAS client IP address
Dest              - any
Service           - any
Translated Source - LAN address for RAS client NAT
Translated Dest   - Original
Translated Service- Original

Depending on your security rules setup, you may also need to add a security rule that permits both the real and NATted source addresses to access the net via the proxy server.

You then need to make sure that the firewall is offering a proxy ARP response for the NAT address, otherwise traffic won't make it back to the real clients.  I think CheckPoint deals with this automatically under NT, but I'd recommend checking www.phoneboy.com (or your firewall docs!) to be sure.

One thing - although it looks like it should work, don't be tempted to use the firewall's IP address on the local LAN as the RAS NAT address.  CheckPoint don't recommend it, and it can give you some really spooky problems.

One last thing - you said CheckPoint v3.  That's so old I've never even heard of it.  We are now up to "NG" (Next Generation, really just v5.0) Feature Pack 2, having spent a lot of time over the past couple of years with v4.0 and v4.1.  If you really are still on v3 then I would strongly recommend upgrading.  There are sure to be vulnerabilities out there cannot be fixed in 3, so you may me negating the whole point of having a firewall by running such a low version.

Because CP will try to get $$$ for the licenses if you do decide to upgrade, I would recommend that you look  at the firewall backwards.  It has a large number of IP addresses on one side (the inside local LAN), and a small number on the other side - limited to how many lines the router has for dial in.  I would suggest setting the "external" interface to be the internal LAN interface, and hence reducing the licensing costs to a license covering the number of RAS users you have.  You are then saved from the horrors of an "unlimited" CheckPoint moneyspinner.

I hope all of this helps,

Matt.
0
 
LVL 5

Expert Comment

by:zenlion420
Comment Utility
This question has been classified as abandoned.  I will make a recommendation to the moderators on its resolution in approximately one week.  I would appreciate any comments by the experts that would help me in making a recommendation.

It is assumed that any participant not responding to this request is no longer interested in its final deposition.

If the asker does not know how to close the question, the options are here:
http://www.experts-exchange.com/help.jsp#hs5

zenlion420
EE Page Editor
0
 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
I recommend split between Geoffryn and Matt, and PAQ it (I don't know much about checkpoint, but Matt and Geoff's comments sounded reasonable - they might work)

Cheers,
-Jon

0
 
LVL 5

Expert Comment

by:zenlion420
Comment Utility
No comment has been added lately, so it's time to clean up this TA.
I will leave the following recommendation for this question in the Cleanup topic area:

PAQ - no points refunded

Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

zenlion420
EE Page Editor
0
 
LVL 5

Expert Comment

by:zenlion420
Comment Utility
Sorry Captain.  I somehow missed your post when I was reading.  I stopped at my ping.  Anyway, if you would like this rec changed, let me know.

aloha,

j
0
 

Accepted Solution

by:
modulo earned 0 total points
Comment Utility
PAQed - no points refunded (of 100)

modulo
Community Support Moderator
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now