Discussion:
Checkpoint AI/Express - Two public IP range, one unreachable
(too old to reply)
Frederic
2003-12-23 09:15:49 UTC
Permalink
Hello,

I have the following problem with the FW in subject :

- I have to public ip ranges, X.X.X.X and Y.Y.Y.Y
- I do static NAT. There is only one range of internal IP.
- On the external interface, there is only one IP address, the one in
the range X.X.X.X
- The router in front of the firewall routes everyhing bound to
Y.Y.Y.Y to the external address in the range X.X.X.X

In some cases, the traffic to/from Y.Y.Y.Y is accepted (as it should
be), in other cases nothing appears in the logs, but there is no drop
or reject. I have doubled checked that I did not made any errors in
the NAT configuration for the objects, and had this cross checked by a
colleague. No problem at this level.

Range Y.Y.Y.Y is _not_ reachable from outside, _HOWEVER_ I can see
that _some_ traffic goes out of the FW from this range. Everything is
fine with X.X.X.X.

When I use CP 4.1 with exactly the same configuration, same action
from the router, no local.arp and a routing table <pub ip> <mask> <int
ip>, there is no problem everything is working fine. I am not
upgrading, these are two different computers.

Any idea ?

F.
Dan
2003-12-23 20:09:28 UTC
Permalink
Hi,
I've been working on a similiar issue. I don't have the whole answer, but I
was wondering if you were doing policy based routing with that router in
front of your firewall.


~D
Post by Frederic
Hello,
- I have to public ip ranges, X.X.X.X and Y.Y.Y.Y
- I do static NAT. There is only one range of internal IP.
- On the external interface, there is only one IP address, the one in
the range X.X.X.X
- The router in front of the firewall routes everyhing bound to
Y.Y.Y.Y to the external address in the range X.X.X.X
In some cases, the traffic to/from Y.Y.Y.Y is accepted (as it should
be), in other cases nothing appears in the logs, but there is no drop
or reject. I have doubled checked that I did not made any errors in
the NAT configuration for the objects, and had this cross checked by a
colleague. No problem at this level.
Range Y.Y.Y.Y is _not_ reachable from outside, _HOWEVER_ I can see
that _some_ traffic goes out of the FW from this range. Everything is
fine with X.X.X.X.
When I use CP 4.1 with exactly the same configuration, same action
from the router, no local.arp and a routing table <pub ip> <mask> <int
ip>, there is no problem everything is working fine. I am not
upgrading, these are two different computers.
Any idea ?
F.
THT
2004-01-05 09:36:16 UTC
Permalink
1. I would create secondary IP from Y.Y.Y.Y range on the router so

would be no need in routing to Y.Y.Y.Y through X.X.X.X

2. On the firewall end I would just create Proxy ARP entries for imaginary

IPs of Y.Y.Y.Y of the same very firewall.
Post by Frederic
Hello,
- I have to public ip ranges, X.X.X.X and Y.Y.Y.Y
- I do static NAT. There is only one range of internal IP.
- On the external interface, there is only one IP address, the one in
the range X.X.X.X
- The router in front of the firewall routes everyhing bound to
Y.Y.Y.Y to the external address in the range X.X.X.X
In some cases, the traffic to/from Y.Y.Y.Y is accepted (as it should
be), in other cases nothing appears in the logs, but there is no drop
or reject. I have doubled checked that I did not made any errors in
the NAT configuration for the objects, and had this cross checked by a
colleague. No problem at this level.
Range Y.Y.Y.Y is _not_ reachable from outside, _HOWEVER_ I can see
that _some_ traffic goes out of the FW from this range. Everything is
fine with X.X.X.X.
When I use CP 4.1 with exactly the same configuration, same action
from the router, no local.arp and a routing table <pub ip> <mask> <int
ip>, there is no problem everything is working fine. I am not
upgrading, these are two different computers.
Any idea ?
F.
Loading...