In addition to this, Alan/Ray, if the new IP block has been routed to your ISP's VLAN representation of your company, as a secondary range, then proxy ARPs will be needed. However, If you get your ISP to route the new IP block to the external IP address of your SPLAT box, then proxy ARPs/routing/etc are not necessary, as the edge router already knows where to send the traffic - all you have to do is add Auto or Manual NAT on your objects/rules. I find this much easier to deploy.
Cheers, Barny. -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Ray Sent: 17 August 2006 23:57 To: [email protected] Subject: Re: [FW-1] Addition of new external IP range to R55 Hi Alan, I'm certainly not conversant with SPLAT, however I'm not sure why you need to add another interface at all. If your ISP is routing all of the new subnet's traffic to your current external interface, it already sees it. I would think that all you would need to do is add proxy ARP entries for each of the new IP addresses and set them all to the MAC address of the real external interface. I've got an entire Class B, yet the external interface is subnetted as Class C. I can use any of the Class B addresses simply by adding proxy ARP entries for them. Ray >From: Alan Choyna <[EMAIL PROTECTED]> >Reply-To: Mailing list for discussion of Firewall-1 ><[email protected]> >To: [email protected] >Subject: Re: [FW-1] Addition of new external IP range to R55 >Date: Wed, 16 Aug 2006 21:18:10 -0500 > >"eth1" is already defined in my firewall object. l'm trying to add a >2nd IP range to it. > >When l try to add the eth1:1 interface to the Topology tab of the FW >object, l get back the message that the interface cannot have a colon >in it. > >Is that what you were referring to? > >Interesting thing is that l am seeing traffic coming into IP's >xx.xxx.xx.2 & xx.xxx.xx.30, but not for any IP in between. Does that indicate >anything? > >Alan > >At 06:44 PM 8/16/2006, Lino Eduardo Avila RodrÃguez wrote: >>Do you have the right topology? >> >> >>Create a external interface. >> >> >>Best regards >> >> >>-----Original Message----- >>From: Mailing list for discussion of Firewall-1 >>[mailto:[EMAIL PROTECTED] On Behalf Of Alan >>Choyna >>Sent: Miércoles, 16 de Agosto de 2006 02:28 p.m. >>To: [email protected] >>Subject: [FW-1] Addition of new external IP range to R55 >> >>We have a stand alone gateway/management server that is running R55 HFA16. >> >>We have received a new allocation of IP addresses to use as we had run >>out of our initial (stingy) block. The new range is in a totally >>different block of IP's. >> >>l went to the web GUI and under the "network connections" tab, added a >>secondary IP object (called eth1:1) with an IP address of >>xx.xxx.xx.2 and a netmask of 255.255.255.224 (we have the range >>xx.xxx.xx.2 - 30). >> >>l then went to the "routing table" tab and added the route with a >>destination of xx.xxx.xx.0, netmask of 255.255.255.224, a gateway of >>0.0.0.0, and it did attach to the correct interface (eth1). >> >>We then created a host object (and allocated the internal and external >>IP's (using the NAT tab to map to the static external IP), and then >>created a rule (with logging on) to test it with. >> >>The tests from outside do not work, and an "arp -d' on the firewall >>does not show the new IP range. >> >>What have we missed? or what have we not done correctly? >> >>Thanks in advance, >> >>Alan >> >> >> >>Alan C. Choyna >>Director of Infrastructure >> >>Pathfinder Associates, LLC >> >><http://www.pathfinderassoc.com/>http://www.pathfinderassoc.com >>Internet Strategy Business Consultants >><mailto:[EMAIL PROTECTED]>mailto:[EMAIL PROTECTED]<<mailto:achoy >>[EMAIL PROTECTED]>mailto:[EMAIL PROTECTED] >>finderassoc.com>.com >> >>Business telephone (312) 372-1058 ext 6003. Mobile (773) 255-6662 >> >> >>================================================= >>To set vacation, Out-Of-Office, or away messages, send an email to >>[EMAIL PROTECTED] >>in the BODY of the email add: >>set fw-1-mailinglist nomail >>================================================= >>To unsubscribe from this mailing list, please see the instructions at >>http://www.checkpoint.com/services/mailing.html >>================================================= >>If you have any questions on how to change your subscription options, >>email [EMAIL PROTECTED] >>================================================= >> >>================================================= >>To set vacation, Out-Of-Office, or away messages, send an email to >>[EMAIL PROTECTED] >>in the BODY of the email add: >>set fw-1-mailinglist nomail >>================================================= >>To unsubscribe from this mailing list, please see the instructions at >>http://www.checkpoint.com/services/mailing.html >>================================================= >>If you have any questions on how to change your subscription options, >>email [EMAIL PROTECTED] >>================================================= > >================================================= >To set vacation, Out-Of-Office, or away messages, send an email to >[EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your subscription options, >email [EMAIL PROTECTED] >================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
