Thanks Jason and Lino.
Unfortunately I now have ask you to answer a new question. :-)
What the heck is a "sub-interface"? I have ever heard that term before.
Yes, they are our IP addresses and the new ISP will announce them for us.
No, they are not NATting anything from us.
Thanks,
Ray
From: chkp tech <[EMAIL PROTECTED]>
Reply-To: Mailing list for discussion of Firewall-1
<[email protected]>
To: [email protected]
Subject: Re: [FW-1] Question on default route to a new ISP while retaining
original IP
Date: Fri, 31 Mar 2006 03:42:31 -0600
Greetings,
I don't know if this is going to help you, but you could setup a
sub-interface and have the default route point to it. This will still
cause
the firewall to be seen as the new IP, but could still have it's old IP.
Implementing this would break any VPNs (new peer id) and it would also
break
SSL if you are pointing HTTPS to the firewall.
As long as the new ISP will route the same IP information, then I don't see
a problem with using the old IP address. I just can't say that I've seen
many situations (other than where large amounts of money were involved) to
do this.
The questions I would ask to your ISP would be these:
Will you route my old IP/subnet to the firewall?
If a packet is sourced as my old IP, will any src-NAT take place before it
leaves their network?
If the first question is no, then you'll be forced to use the new IP. If
the answer to the second question is yes, then you'll be forced to use the
new IP as well.
Hopefully this helps,
Jason
On 3/30/06, Ray <[EMAIL PROTECTED]> wrote:
>
> Running R55 on Nokia 3.9.
>
> I currently have a router between FW-1 and the T-1's that supply our
> Internet connection. We're changing ISPs and I want to eliminate the
> router
> because it doesn't really do anything useful (no filtering, etc.) and I
> can
> use it elsewhere. The new ISP comes in via fiber. I also must keep the
> same
> external IP address on FW-1. We have our own IP block and the new ISP
will
> announce those routes for us.
>
> So my external interface currently looks like this (made-up addresses):
>
> IP: 122.45.5.1 /24
> Next hop router - default route (mine) 122.45.5.254
>
> The new ISP wants us to re-IP the firewall to
>
> IP: 67.56.4.3 /30
> Next hop router - default route: 67.56.4.4
>
> Obviously if I change the external IP like this, all sorts of things are
> going to break, like all of our vendors that expect traffic to come from
> 122.45.5.1. I do use central licensing.
>
> Is it possible to set the external interface like this:
>
> IP: 122.45.5.1 /24 (original address)
> Next hop router - default route: 67.56.4.4 (new ISP)
>
> or do they truly both have to be on the same subnet? If so, is there any
> way
> to fix this while still eliminating the old router and not manually
> setting
> NAT on every object? Or do I just have to keep the old router in place?
>
> Thanks for any education you can lend,
>
> Ray
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
