• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1783
  • Last Modified:

Changing Checkpoint's Subnet!?!

Hello Experts

I need to reconfigure checkpoint onto a separate subnet (hidden from main LAN).  

We currently operate a flat network, for this example 192.168.0.0/255.255.0.0.  The IP of the firewall is currently 192.168.5.11/255.255.0.0.   Our default gateway configuration is rubbish, single interface doing stick routing (traffic in/out on same interface).

Client (192.168.10.10/255.255.0.0) -> Default Gateway (single interface 192.168.5.1/255.255.0.0) - > Firewall (192.168.5.11/255.255.0.0)

I need to change the default gateway to use two interfaces and checkpoint will be on the external side of the new default gateway config (with a new subnet)

Client (192.168.10.10/255.255.0.0) -> Default Gateway (internal interface 192.168.5.1/255.255.0.0) -> Default Gateway (external interface 192.168.5.10/255.255.255.248) - > Firewall (192.168.5.11/255.255.255.248)

I've written the routing table for a dual interface gateway correctly.  Tested these rules on a DSL router (connected to external interface on gateway) and they worked.   When I changed the subnet on checkpoint we lost all external connectivity.  Main error messages seen in checkpoint was :-

Information:       message_info: Dropped packet forwarded between two external interfaces

The step taken in checkpoint was

1. Change Physical Adapter IP information
2. Change Gateway IP information in Dashboard (VPN Communities)
3. Added 192.168.5.0 Network to Checkpoint.
4. Update Dashboard Topography to indicate 192.168.0.0 Network was behind 192.168.5.0 Network (VPN Communities)

So what did I miss, NAT perhaps???  Anyone know the logical steps to go through to change checkpoint's subnet....

MIS


 

0
missystems
Asked:
missystems
1 Solution
 
charan_jeetsinghCommented:
hi..i am really not able to understand ur requirement/setup..can u do some work on a diagram which u can post here...

thnx
Cj
0
 
zubijalalCommented:
in the topology--Ip spoofing .. window, change the topology of one of the interfaces to internal ...i suppose both interfaces will be set to external at present. it should work after that
0
 
missystemsAuthor Commented:
Hi

I've already tried our setup with IP spoofing disabled.  NO joy.  Sorry forgot to add that to my inital request 8(

MIS
0
 
missystemsAuthor Commented:
Figured this out

The firewall external "192.168.5.11/255.255.255.248" network is a theoretical sub-network of the internal "192.168.0.0/255.255.0.0" network.  (subnetted networks)

Default gateway would get confused about routing ;)

Fixed use different network range for external interface.
0
 
CetusMODCommented:
PAQed with points refunded (500)

CetusMOD
Community Support Moderator
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now