Checkpoint AI/Express - Two public IP range, one unreachable - Firewalls

This is a discussion on Checkpoint AI/Express - Two public IP range, one unreachable - Firewalls ; Hello, I have the following problem with the FW in subject : - I have to public ip ranges, X.X.X.X and Y.Y.Y.Y - I do static NAT. There is only one range of internal IP. - On the external interface, ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Checkpoint AI/Express - Two public IP range, one unreachable

  1. Checkpoint AI/Express - Two public IP range, one unreachable

    Hello,

    I have the following problem with the FW in subject :

    - I have to public ip ranges, X.X.X.X and Y.Y.Y.Y
    - I do static NAT. There is only one range of internal IP.
    - On the external interface, there is only one IP address, the one in
    the range X.X.X.X
    - The router in front of the firewall routes everyhing bound to
    Y.Y.Y.Y to the external address in the range X.X.X.X

    In some cases, the traffic to/from Y.Y.Y.Y is accepted (as it should
    be), in other cases nothing appears in the logs, but there is no drop
    or reject. I have doubled checked that I did not made any errors in
    the NAT configuration for the objects, and had this cross checked by a
    colleague. No problem at this level.

    Range Y.Y.Y.Y is _not_ reachable from outside, _HOWEVER_ I can see
    that _some_ traffic goes out of the FW from this range. Everything is
    fine with X.X.X.X.

    When I use CP 4.1 with exactly the same configuration, same action
    from the router, no local.arp and a routing table ip>, there is no problem everything is working fine. I am not
    upgrading, these are two different computers.

    Any idea ?

    F.

  2. Re: Checkpoint AI/Express - Two public IP range, one unreachable

    Hi,
    I've been working on a similiar issue. I don't have the whole answer, but I
    was wondering if you were doing policy based routing with that router in
    front of your firewall.


    ~D



    "Frederic" wrote in message
    news:75eaf22c.0312230115.2d00468c@posting.google.c om...
    > Hello,
    >
    > I have the following problem with the FW in subject :
    >
    > - I have to public ip ranges, X.X.X.X and Y.Y.Y.Y
    > - I do static NAT. There is only one range of internal IP.
    > - On the external interface, there is only one IP address, the one in
    > the range X.X.X.X
    > - The router in front of the firewall routes everyhing bound to
    > Y.Y.Y.Y to the external address in the range X.X.X.X
    >
    > In some cases, the traffic to/from Y.Y.Y.Y is accepted (as it should
    > be), in other cases nothing appears in the logs, but there is no drop
    > or reject. I have doubled checked that I did not made any errors in
    > the NAT configuration for the objects, and had this cross checked by a
    > colleague. No problem at this level.
    >
    > Range Y.Y.Y.Y is _not_ reachable from outside, _HOWEVER_ I can see
    > that _some_ traffic goes out of the FW from this range. Everything is
    > fine with X.X.X.X.
    >
    > When I use CP 4.1 with exactly the same configuration, same action
    > from the router, no local.arp and a routing table > ip>, there is no problem everything is working fine. I am not
    > upgrading, these are two different computers.
    >
    > Any idea ?
    >
    > F.




  3. Re: Checkpoint AI/Express - Two public IP range, one unreachable

    1. I would create secondary IP from Y.Y.Y.Y range on the router so

    would be no need in routing to Y.Y.Y.Y through X.X.X.X

    2. On the firewall end I would just create Proxy ARP entries for imaginary

    IPs of Y.Y.Y.Y of the same very firewall.

    "Frederic" wrote in message
    news:75eaf22c.0312230115.2d00468c@posting.google.c om...
    > Hello,
    >
    > I have the following problem with the FW in subject :
    >
    > - I have to public ip ranges, X.X.X.X and Y.Y.Y.Y
    > - I do static NAT. There is only one range of internal IP.
    > - On the external interface, there is only one IP address, the one in
    > the range X.X.X.X
    > - The router in front of the firewall routes everyhing bound to
    > Y.Y.Y.Y to the external address in the range X.X.X.X
    >
    > In some cases, the traffic to/from Y.Y.Y.Y is accepted (as it should
    > be), in other cases nothing appears in the logs, but there is no drop
    > or reject. I have doubled checked that I did not made any errors in
    > the NAT configuration for the objects, and had this cross checked by a
    > colleague. No problem at this level.
    >
    > Range Y.Y.Y.Y is _not_ reachable from outside, _HOWEVER_ I can see
    > that _some_ traffic goes out of the FW from this range. Everything is
    > fine with X.X.X.X.
    >
    > When I use CP 4.1 with exactly the same configuration, same action
    > from the router, no local.arp and a routing table > ip>, there is no problem everything is working fine. I am not
    > upgrading, these are two different computers.
    >
    > Any idea ?
    >
    > F.




+ Reply to Thread