[FW-1] Question on the proper external IP address subnet mask

Tue, 13 Sep 2005 16:10:42 -0700

I'm working on a system for a company that has a full Class C subnet (all 256 addresses). The external IP of the firewall both on the enforcement module and in SmartView Dashboard is 

xxx.xxx.10.1
255.255.255.0
and the IP address of the router between the enforcement modulel and the ISP is 

xxx.xxx.10.254 and probably the same subnet mask.
There's a lot of anti-spoofing drops in the logs with the origin of the xxx.xxx.10.1 external interface for ICMP going to the router on xxx.xxx.10.254. The Information section says it expired in transit. Kind of odd since it's a crossover cable connecting the enforcement module and the router.
Since the router is technically "external" to the firewall because it's connected to the external interface but it's on the same subnet the way it's configured, what's the proper way to fix this and does it even need fixed?
I'm assuming I can re-subnet both the enforcement module and SmartView Dashboard to 255.255.255.128 but then I lose half the IP space. If this is correct, does that then mean I must keep all NATted external addresses in the first half of the xxx.xxx.10.0 network?
In other words, if I make this subnet mask change, do I have to move the web server that's currently on xxx.xxx.10.172 down into the 1-127 range or will FW-1 still know what to do with it? I guess I kind of assumed that an external interface effectively was in promiscuous mode so it always sees all traffic that hits it even if it would then be on a different subnet.
The router between the ISP and FW-1 simply has one static route in it sending all Internet traffic destined for xxx.xxx.10.x to xxx.xxx.10.1 

Thanks for your thoughts,

Ray

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

Reply via email to