Sergio, Thanks for your advice. The CheckPoint is installed on IPSO platform of Nokia IP350. We have the configuration of a site-to-site trust using VPN on internet when we bought it. Now we are upgrading it to a data line instead of internet connection. Thus we need to route all the traffics originally go from internet connection to the router of the data line. That is the scenario we are facing it but we do not have the specialist in this area to implement it. I am unsure if this is a very complicated task or just change a couple of rules as described by another site. You further enlightenment is highly appreciated.
Thanks, Scott -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Sergio Alvarez Sent: Sunday, 14 January, 2007 12:17 PM To: [email protected] Subject: Re: [FW-1] NGX R60 route to other router Check Point is a firewall software, all routing issues are addresses by the platform on which you have Check Point installed. You did not mentioned which platform you have, but mainly what you need is routing configuration and the way to make the changes will depend on that platform (Windows, Linux, Solaris, IPSO, Secure Platform). You also mentioned something about that traffic going to a particular router, while the rest "goes out via the firewall NAT". First of all you need to understand routing and NAT configurations are completely separate things, routing is configured at the platform level while NAT at the firewall level (Check Point). If you want this particular traffic to go to a specific router WITHOUT applying NAT, then you need to do manual NAT for that traffic while have an automatic NAT rule for all the rest (sorry but it is kind of complicated to be explained here, check the PDF documentation available in the installation CDs or the website, for NAT configuration instructions) Now, there is a final comment on your message that says: "or when the router is down it will go out via the firewall NAT", so sounds to me like you want a specific route for this particular traffic, but a dynamic configuration for it to switch to the regular default gateway if that router fails. Routing wise, you would need Dynamic Routing Protocols and the possibility of doing that will depend again the platform you have Check Point installed on, as well as the upstream routers (for possible support or not of particular protocols). NAT wise, I would say it would not be possible to the firewall to know it should apply a no-NAT rule now and a regular NAT hide the next minute just because the router that usually receives that traffic if down. The new SecurePlatform Pro (which requires extra licensing) has Dynamic VPN Routing features that allow for you to have traffic sent through a VPN tunnel most of the time and switch to a second VPN tunnel if the first goes down, but I don't think that feature could be used to dinamically switch for a NAT rule to another. Anyway... maybe somebody else here in the group knows a way to go around it Regards On 1/13/07, Scott Xe <[EMAIL PROTECTED]> wrote: > > I am new to CP and need to route from the network going to certain > destination via a specified router, i.e., > > From To Via > The local network 164.38.0.0 192.168.0.253 > > Other than that all go out via the firewall NAT or when the router is down > it will go out via the firewall NAT. > > Your enlightenment is appreciated. > > Thanks, > > Scott > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > -- Sergio Alvarez (506)8301342 ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
