Changing Checkpoint's Subnet!?!

Hello Experts

I need to reconfigure checkpoint onto a separate subnet (hidden from main LAN).  

We currently operate a flat network, for this example 192.168.0.0/255.255.0.0.  The IP of the firewall is currently 192.168.5.11/255.255.0.0.   Our default gateway configuration is rubbish, single interface doing stick routing (traffic in/out on same interface).

Client (192.168.10.10/255.255.0.0) -> Default Gateway (single interface 192.168.5.1/255.255.0.0) - > Firewall (192.168.5.11/255.255.0.0)

I need to change the default gateway to use two interfaces and checkpoint will be on the external side of the new default gateway config (with a new subnet)

Client (192.168.10.10/255.255.0.0) -> Default Gateway (internal interface 192.168.5.1/255.255.0.0) -> Default Gateway (external interface 192.168.5.10/255.255.255.248) - > Firewall (192.168.5.11/255.255.255.248)

I've written the routing table for a dual interface gateway correctly.  Tested these rules on a DSL router (connected to external interface on gateway) and they worked.   When I changed the subnet on checkpoint we lost all external connectivity.  Main error messages seen in checkpoint was :-

Information:       message_info: Dropped packet forwarded between two external interfaces

The step taken in checkpoint was

1. Change Physical Adapter IP information
2. Change Gateway IP information in Dashboard (VPN Communities)
3. Added 192.168.5.0 Network to Checkpoint.
4. Update Dashboard Topography to indicate 192.168.0.0 Network was behind 192.168.5.0 Network (VPN Communities)

So what did I miss, NAT perhaps???  Anyone know the logical steps to go through to change checkpoint's subnet....

MIS


 

LVL 1
missystemsAsked:
Who is Participating?
 
CetusMODConnect With a Mentor Commented:
PAQed with points refunded (500)

CetusMOD
Community Support Moderator
0
 
charan_jeetsinghCommented:
hi..i am really not able to understand ur requirement/setup..can u do some work on a diagram which u can post here...

thnx
Cj
0
 
zubijalalCommented:
in the topology--Ip spoofing .. window, change the topology of one of the interfaces to internal ...i suppose both interfaces will be set to external at present. it should work after that
0
 
missystemsAuthor Commented:
Hi

I've already tried our setup with IP spoofing disabled.  NO joy.  Sorry forgot to add that to my inital request 8(

MIS
0
 
missystemsAuthor Commented:
Figured this out

The firewall external "192.168.5.11/255.255.255.248" network is a theoretical sub-network of the internal "192.168.0.0/255.255.0.0" network.  (subnetted networks)

Default gateway would get confused about routing ;)

Fixed use different network range for external interface.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.