adding 2nd subnet to same checkpoint interface

Hi all,

This is my first entry into ee and I'm hoping someone can help me with this problem that I have been trying to resolve for 2 weeks. Here goes...

I have just installed 2 nokia ip380's in ha configuration with checkpoint ngai r55. Everything works fine.
Because we have exhausted our currently assigned 32 ip addresses I had to request another from our isp. They assigned me with an additional subnet (non-contiguous).
I have configured the external cisco 1703 router with the first address of the new range, and configured it as secondary. I beleive the routing from the outside world to the firewall (via the cisco router) works fine. I can ping the fw and router from each other.

My problem is that I cannot access any server that has any of the new addresses assigned from the internet (via nat in the fw). It works ok if I assign one of the current addresses.

I have configured each fw with an ip address from the new range (by adding it as an additional ip to the interface). I did this with voyager.
I then added another interface 'test1' and 'test2' in the topology of checkpoint's fw objects and assigned the same ip address as per their ipso config. Note that this has not been added to the cluster object, just each of the fw objects.

I can logon to any server on any of the 5 internal networks and ping a server that has the newly public address assigned to it, and I get a response. But when I try and achevie this externally it times out after hitting our external router interface.

I urgently require this resolving and would give a million points if I could.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Just wanted to know...Added the Ip address from the new range to the interface....
Do you really required to do so...If you dont have any of the FW to speak n you dont want to segment then you can just define this network as internal ...
If thts not the case can you check from the CP logs what exactly happening when you are trying to access the IP from external...Make sure you eneable the "Xlatedsource/Destination,XlatedSourcePort etc..." to give a better idea..
joedohertyAuthor Commented:

I'm not quite sure I understand what you are saying...

All I want to do is be able to use the newly assigned ip range on various servers on our DMZ (just like we do with the current ip range). These will be configured via a rule that contains objects with internal ip addresses and static NAT defined.

Obviously I need to configure the external router with an address from the new range - this has ben done.

Do I need to configure IPSO on each FW with an ip address from the new range?
Do I need to configure any routes in IPSO?

What exactly do I need to do in Checkpoint FW to allow someone on the Internet to access servers using the new range?

:) Yes you need to configure your router.
IPSO you dont need.
IPSO routing must be updated so the FW can reach the new machine..The easiest way i can say is ....
for example your internal machine is having n your new external ip address X.X.X.1. Then on IPSO you must add the static route X.X.X1 to . And on CheckPoint modify the rulebase to reflect the same trasnlation. (NAT)..

Then your router ( IPSO connected to the Router I assume) must know these X.X.X.1 is on IPSO. That means the routing must be configured on the router as well..

Hope it clear...

Say Router ( A.A.A.A) IPSO ( B.B.B.B). New Public IP ( X.X.X.1) Internal(

1. Router >  X.X.X.1 SubnetMask B.B.B.B
2.IPSO> X.X.X.1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
joedohertyAuthor Commented:
Many thanks - worked nicely!

Youare welcome and Thx...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.