Thanks for the education, Jason. I'll look it up.
We are using client side NAT and you're correct, I only have to add one
proxy ARP for the current external IP address (I tested this after my last
reply).
I believe it can cause remote access problems if you license the internal
interface. Since I use central licensing, where the licenses are applied
only to the SmartCenter, I shouldn't have to regenerate the licenses through
Check Point at all. If I understand it correctly, with central licensing
only the module count is important. When I attach a license to an
enforcement module via SmartUpdate, it learns that IP address. When I detach
it via SmartUpdate, the license is available for re-use. My UserCenter
account license list does not show any IP addresses other than my
SmartCenter.
Thanks for all of your time,
Ray
From: chkp tech <[EMAIL PROTECTED]>
Reply-To: Mailing list for discussion of Firewall-1
<[email protected]>
To: [email protected]
Subject: Re: [FW-1] Question on default route to a new ISP while retaining
original IP
Date: Sat, 1 Apr 2006 02:00:09 -0600
Ray,
A sub-interface is simply getting a single physical to have multiple
aliases. Let's say you have multiple networks that physically connect to
one interface. Really all you have to think about is that each IP alias
tells the OS to treat each alias as it's own network interface. You can
google subinterface or NIC alias and find more information.
A couple things caught my interest in your reply to our answers. You
shouldn't have to add arp entries manually, and if you do, there should
only
be a few of them. If you're still not using "Client side NAT" in global
properties, then I'd suggest looking into it. This will save you quite a
bit of time.
Another thing that caught my interest was the fact that you'll need to
re-gen your licenses. I'll be the first to admit that I don't know whether
or not it's ok to license your firewalls to internal IP addresses, but when
you contact account services, I would make sure that you're using
centralized licenses, and if not, I would license them to the internal IPs
so that you don't have to regenerate licenses in the future.
Jason
On 3/31/06, Ray <[EMAIL PROTECTED]> wrote:
>
> Thanks Jason and Lino.
>
> Unfortunately I now have ask you to answer a new question. :-)
>
> What the heck is a "sub-interface"? I have ever heard that term before.
>
> Yes, they are our IP addresses and the new ISP will announce them for
us.
> No, they are not NATting anything from us.
>
> Thanks,
>
> Ray
>
> <snip>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
