Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2372
  • Last Modified:

adding 2nd subnet to same checkpoint interface

Hi all,

This is my first entry into ee and I'm hoping someone can help me with this problem that I have been trying to resolve for 2 weeks. Here goes...

I have just installed 2 nokia ip380's in ha configuration with checkpoint ngai r55. Everything works fine.
Because we have exhausted our currently assigned 32 ip addresses I had to request another from our isp. They assigned me with an additional subnet (non-contiguous).
I have configured the external cisco 1703 router with the first address of the new range, and configured it as secondary. I beleive the routing from the outside world to the firewall (via the cisco router) works fine. I can ping the fw and router from each other.

My problem is that I cannot access any server that has any of the new addresses assigned from the internet (via nat in the fw). It works ok if I assign one of the current addresses.

I have configured each fw with an ip address from the new range (by adding it as an additional ip to the interface). I did this with voyager.
I then added another interface 'test1' and 'test2' in the topology of checkpoint's fw objects and assigned the same ip address as per their ipso config. Note that this has not been added to the cluster object, just each of the fw objects.

I can logon to any server on any of the 5 internal networks and ping a server that has the newly public address assigned to it, and I get a response. But when I try and achevie this externally it times out after hitting our external router interface.

I urgently require this resolving and would give a million points if I could.

  • 3
  • 2
1 Solution
Just wanted to know...Added the Ip address from the new range to the interface....
Do you really required to do so...If you dont have any of the FW to speak n you dont want to segment then you can just define this network as internal ...
If thts not the case can you check from the CP logs what exactly happening when you are trying to access the IP from external...Make sure you eneable the "Xlatedsource/Destination,XlatedSourcePort etc..." to give a better idea..
joedohertyAuthor Commented:

I'm not quite sure I understand what you are saying...

All I want to do is be able to use the newly assigned ip range on various servers on our DMZ (just like we do with the current ip range). These will be configured via a rule that contains objects with internal ip addresses and static NAT defined.

Obviously I need to configure the external router with an address from the new range - this has ben done.

Do I need to configure IPSO on each FW with an ip address from the new range?
Do I need to configure any routes in IPSO?

What exactly do I need to do in Checkpoint FW to allow someone on the Internet to access servers using the new range?

:) Yes you need to configure your router.
IPSO you dont need.
IPSO routing must be updated so the FW can reach the new machine..The easiest way i can say is ....
for example your internal machine is having n your new external ip address X.X.X.1. Then on IPSO you must add the static route X.X.X1 to . And on CheckPoint modify the rulebase to reflect the same trasnlation. (NAT)..

Then your router ( IPSO connected to the Router I assume) must know these X.X.X.1 is on IPSO. That means the routing must be configured on the router as well..

Hope it clear...

Say Router ( A.A.A.A) IPSO ( B.B.B.B). New Public IP ( X.X.X.1) Internal(

1. Router >  X.X.X.1 SubnetMask B.B.B.B
2.IPSO> X.X.X.1
joedohertyAuthor Commented:
Many thanks - worked nicely!

Youare welcome and Thx...

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now