Setup of Checkpoint NG to traverse internal router

[webnetwiz]

I'm configuring a box to run NG on. Running NT4, and has 2 NICs. One NIC is external interface (Internet-dirty), and the other is internal (no gateway configured). However, since there's no gateway configured on the internal NIC, it cannot see hosts I have on other networks (802.1q VLANs off of a Cisco Cat4006). I added a persistent route to the CheckPoint box, but my other networks still can't see it. Does anyone have any thoughts? If I add a gateway to the internal NIC, I can see all the other networks, but then I guess the box would be confused what to route where, and Checkpoint wouldn't work.
Need help!

 

[ChrisAC]

You need to point a route to those other networks via the internal router. You also need to make sure that those other networks have a route back.

You can't use a gateway address on the internal card for this. It needs to be specific routes.

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[webnetwiz]

The internal router routes between the VLANs without a problem. If I give the internal NIC the IP of the internal gateway, I can immediately access hosts on other VLANs. But once Checkpoint is on it, I can't keep that gateway. Is that something I'd setup in Checkpoint, and then it handles this issue? Do I need to add static (persistent) routes to my servers in the "remote" VLAN?

 

[ChrisAC]

Yes, in order for your servers in the remote VLANS to be able to talk to the firewall they need a route to the firewall, either by their default route or by a specific route (if their default route points elsewere).

You also need to add routes on the firewall via 'route add' at the command line for each VLAN via the router IP address that routes to those VLAN's. A dual homed device or firewall can only ever have one default route and that will be out of the external internet facing interface.

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[Piloria]

i agree as above set up using static routes.
if you are using NAT on ony of these VLans you may encounter difficulties when they try and comunicate with each other (only if they use the firewall as a gateway between lans)

if so then you may need a manual NAT rule at the top of your NAT rules.
on nat page
Rules-add rule -top
create a group object covers all your internal lans and Vlans
create rule
internal lans - internal lans - any - original - original - original

this will stop it using nat between networks

if you dont use your firewall as a gateway between lans then ignore this completely

 

[webnetwiz]

Ok, got it to work, the server can see CheckPoint, and Chekpoint can see the server. BTW, this CheckPoint is not a gateway for my network, it's a secondary system that sits outside the firewall, and blocks everything except for VPN connections.

Problem I'm having now is that when VPN clients are connecting, my LAN hosts see them as hosts from other "outside" networks with their public IP addresses. I need to be able to NAT these VPN clients, or bind them to a local IP pool on the firewall. For example, a VPN clients comes in with a public IP address of w.x.y.z, I need to make sure my internal LAN servers see it as local address 1.2.3.4. I've enabled the local IP pool, but it doesn't work.

 

[ChrisAC]

Have you checked the logs to see if they are getting an IP address from the pool?

Chris.

**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[webnetwiz]

yep. they are. Gonna try a 3rd NIC.

 

[Piloria]

ok refer back to my last insert and try that
your VPN connections are being NATed for internal aswell as external. the manual NAT rule will override that and stop NAT between internal networks

 

[webnetwiz]

Gentlemen, since I was pressed for time, and the routing on my VLANs is more important to me than setting up a secondary VPN system (for one very impatient client), a 3rd NIC solved the problem between connecting to servers in 2 different VLANs. In order to make sure that this setup does not violate my security policy, we've configured the box to only do VPN connections, and that's it, everything else is dropped. I want to thank everyone who posted and assisted me.