?
Solved

adding 2nd subnet to same checkpoint interface

Posted on 2005-04-05
5
Medium Priority
?
2,193 Views
Last Modified: 2013-11-16
Hi all,

This is my first entry into ee and I'm hoping someone can help me with this problem that I have been trying to resolve for 2 weeks. Here goes...

I have just installed 2 nokia ip380's in ha configuration with checkpoint ngai r55. Everything works fine.
Because we have exhausted our currently assigned 32 ip addresses I had to request another from our isp. They assigned me with an additional subnet (non-contiguous).
I have configured the external cisco 1703 router with the first address of the new range, and configured it as secondary. I beleive the routing from the outside world to the firewall (via the cisco router) works fine. I can ping the fw and router from each other.

My problem is that I cannot access any server that has any of the new addresses assigned from the internet (via nat in the fw). It works ok if I assign one of the current addresses.

I have configured each fw with an ip address from the new range (by adding it as an additional ip to the interface). I did this with voyager.
I then added another interface 'test1' and 'test2' in the topology of checkpoint's fw objects and assigned the same ip address as per their ipso config. Note that this has not been added to the cluster object, just each of the fw objects.

I can logon to any server on any of the 5 internal networks and ping a server that has the newly public address assigned to it, and I get a response. But when I try and achevie this externally it times out after hitting our external router interface.

I urgently require this resolving and would give a million points if I could.

Joe
0
Comment
Question by:joedoherty
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 12

Expert Comment

by:srikrishnak
ID: 13706512
Just wanted to know...Added the Ip address from the new range to the interface....
Do you really required to do so...If you dont have any of the FW to speak n you dont want to segment then you can just define this network as internal ...
If thts not the case can you check from the CP logs what exactly happening when you are trying to access the IP from external...Make sure you eneable the "Xlatedsource/Destination,XlatedSourcePort etc..." to give a better idea..
0
 

Author Comment

by:joedoherty
ID: 13707182
srikrishnak,

I'm not quite sure I understand what you are saying...

All I want to do is be able to use the newly assigned ip range on various servers on our DMZ (just like we do with the current ip range). These will be configured via a rule that contains objects with internal ip addresses and static NAT defined.

Obviously I need to configure the external router with an address from the new range - this has ben done.

Do I need to configure IPSO on each FW with an ip address from the new range?
Do I need to configure any routes in IPSO?

What exactly do I need to do in Checkpoint FW to allow someone on the Internet to access servers using the new range?

Joe
0
 
LVL 12

Accepted Solution

by:
srikrishnak earned 2000 total points
ID: 13713699
:) Yes you need to configure your router.
IPSO you dont need.
IPSO routing must be updated so the FW can reach the new machine..The easiest way i can say is ....
for example your internal machine is having 10.10.10.1 n your new external ip address X.X.X.1. Then on IPSO you must add the static route X.X.X1 to 10.10.10.1 . And on CheckPoint modify the rulebase to reflect the same trasnlation. (NAT)..

Then your router ( IPSO connected to the Router I assume) must know these X.X.X.1 is on IPSO. That means the routing must be configured on the router as well..

Hope it clear...

Say Router ( A.A.A.A) IPSO ( B.B.B.B). New Public IP ( X.X.X.1) Internal(10.10.10.1)

1. Router >  X.X.X.1 SubnetMask B.B.B.B
2.IPSO> X.X.X.1 10.10.10.1
3.IPSO ( CP) NAT MUST REFLECT.
0
 

Author Comment

by:joedoherty
ID: 13718942
Many thanks - worked nicely!

Joe
0
 
LVL 12

Expert Comment

by:srikrishnak
ID: 13723773
Youare welcome and Thx...
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question