You need to subnet your class C. Break out .252 network (4 IPs) and configure that on your external interace and router. Your spoofs are because your external interface traffic falls within your internal subnet. You can assign all the rest of the C range to networks behind your firewall, and can easily use one for a DMZ. It will make routes in your internet router more complicated. It will need to have the subnets broken out to be able to route them to your firewall. If you are unsure about how to divide them all up, there are lots of subnet generators out on the net that will help.
Hal -----Original Message----- From: Ray [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 14, 2005 6:03 AM To: [email protected] Subject: Re: [FW-1] Question on the proper external IP address subnet mask Sorry, I wasn't clear on this. The enforcement module is sending the ICMP packets to the 10.254 router for whatever reason. The 10.254 router is the next hop router for the enforcement module. The router has a single Ethernet interface to the enforcement mocule and serial interfaces for the T-1 lines carrying the Internet traffic. Ray >From: ravi pina <[EMAIL PROTECTED]> >Reply-To: Mailing list for discussion of Firewall-1 ><[email protected]> >To: [email protected] >Subject: Re: [FW-1] Question on the proper external IP address subnet >mask >Date: Wed, 14 Sep 2005 00:09:45 -0400 > >sounds like its a (cisco term) ip unnumbered interface. probably frame >relay, i suspect. > >why would the firewall see packets with a destination >of your router? > >all that subnetting is a lot of work it seems. > >try taking a device (e.g. laptop) and giving it an ip >in the same external subnet with a gateway of the .1. >if things route correctly then .1 should likely be >your desired gateway and not .254. > >-r > > >On Tue, Sep 13, 2005 at 07:01:43PM -0400, Ray said at one point in >time: > > I'm working on a system for a company that has a full Class C subnet >(all > > 256 addresses). The external IP of the firewall both on the > > enforcement module and in SmartView Dashboard is > > > > xxx.xxx.10.1 > > 255.255.255.0 > > > > and the IP address of the router between the enforcement modulel and > > the ISP is > > > > xxx.xxx.10.254 and probably the same subnet mask. > > > > There's a lot of anti-spoofing drops in the logs with the origin of > > the xxx.xxx.10.1 external interface for ICMP going to the router on > > xxx.xxx.10.254. The Information section says it expired in transit. > > Kind >of > > odd since it's a crossover cable connecting the enforcement module > > and >the > > router. > > > > Since the router is technically "external" to the firewall because > > it's connected to the external interface but it's on the same subnet > > the way it's configured, what's the proper way to fix this and does > > it even need fixed? > > > > I'm assuming I can re-subnet both the enforcement module and > > SmartView Dashboard to 255.255.255.128 but then I lose half the IP > > space. If this >is > > correct, does that then mean I must keep all NATted external > > addresses >in > > the first half of the xxx.xxx.10.0 network? > > > > In other words, if I make this subnet mask change, do I have to move > > the web server that's currently on xxx.xxx.10.172 down into the > > 1-127 range >or > > will FW-1 still know what to do with it? I guess I kind of assumed > > that >an > > external interface effectively was in promiscuous mode so it always > > sees all traffic that hits it even if it would then be on a > > different subnet. > > > > The router between the ISP and FW-1 simply has one static route in > > it sending all Internet traffic destined for xxx.xxx.10.x to > > xxx.xxx.10.1 > >-- >+++ATH >7MN; {{{ > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[EMAIL PROTECTED] >================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
