Thanks to all for your answers,
Paolo, it's not a solution for me I can't configure a route in that way on
my SPLAT and I don't manage the first router. I think that Sergio has
pointed the problem. Route on my SPLAT are based on destination and I
don't
manage to define a destination for my new route that is "Internet World"
(except for Default gateway), but it means all traffic and I already route
my Internet traffic to first router of my partner. Sergio, your workaround
routing all traffic on the router of my partner and reroute the traffic
coming from my new net to the second router could be a good solution, but
it
not suitable for me... cause contract policy between me and this
partner..........
-----Messaggio originale-----
Da: Mailing list for discussion of Firewall-1 [mailto:
[EMAIL PROTECTED] Per conto di Sergio Alvarez
Inviato: mercoledì 17 gennaio 2007 19.23
A: [email protected]
Oggetto: Re: [FW-1] Routing...
Regular routes are based on destination, you create a route telling a
layer
3 device what would be the destination network and what gateway to use to
get there.
So if you want to publish particular services behind the enforcement
module
and ensure that traffic received by the second router you mentioned and
destined to those services, is sent the proper way, then all you need is a
route on that router pointing to the enforcement module.
Now, if you want for the enforcement module to receive traffic from the
new
network behind it and send it to the second router while all the rest of
the
traffic is sent to the first router (default gateway), then you need to
know
what would be the destination network, otherwise you need source based
routing which is not available on Secure Platform (as far as I know).
A good solution would be to use the first router (default gateway) to
redirect the traffic the right way if in fact your partner has a source
based routing capable router there. That way you leave a single default
gateway on your enforcement module and tell that router to redirect
traffic
to the second router when the source is that particular network. You might
have to do some tweaking on the NAT rules of the firewall for it to
identify
the new network with a different IP range so it is possible to identify it
from the rest of the networks coming through your enforcement module.
Hope this helps.
Regards
On 1/17/07, Paolo Riviello www.paoloriviello.com <[EMAIL PROTECTED]>
wrote:
>
> Massimiliano usually you should configure just a default gateway which
> route
> your packets to the public internet, therefore you must explain to us
> where
> is your partner's router and where is the new one.
> Anyway I think that you must configure some source traffic rules on
your
> default gateway (something like route map on cisco)...so the default
> gateway
> for your SPLAT remain the same.
>
>
>
> --
>
> Paolo Riviello
>
>
> Home: http://www.paoloriviello.com
> E-mail: [EMAIL PROTECTED]
> E-mail: [EMAIL PROTECTED]
> Skype: pao_rivi Icq: 285354822
>
> If men could get pregnant, abortion would be a sacrament. (H)
>
>
>
>
>
> >From: Markus Schmidt <[EMAIL PROTECTED]>
> >Reply-To: Mailing list for discussion of Firewall-1
> ><[email protected]>
> >To: [email protected]
> >Subject: Re: [FW-1] Routing...
> >Date: Wed, 17 Jan 2007 17:18:58 +0100
> >
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >
> >Simply add a Route via 'sysconfig' (on the command line)
> >You're questioned to enter some Information.
> >* Network is your eth3 network (172.16.0.0)
> >* Subnet is 255.255.0.0
> >* Destination is the Router you want to use, and that's all
> >
> >Is this the Information that Helps? Please let me know.
> >
> >- --
> >http://schmidt.bs-server.com
> >
> >Scarpati Massimiliano schrieb:
> > > Hi guys, i'm a beginner about checkpiont than be patient....
> > >
> > > I have an R55 HFA18 Enforcment Module Secure Platform and a
management
> > > R55 HFA18 on Windows. On my Enforcment now I have 3 ethernet:
> > >
> > >
> > >
> > > Eth0 Private Address......x.x.x.x (172.31.w.w)
> > >
> > > Eth1 Private Address.....y.y.y.y (172.31.y.y)
> > >
> > > Eth2 Private Address.....z.z.z.z (192.z.z.z)
> > >
> > >
> > >
> > > Now on my SPLAT I have some route to particular IP address and I
have
> a
> > > default ROUTE that teach my Splat to route all the packets from my
LAN
> > > (Eth1) to a public IP Address (a Router of a partner that give me
the
> > > connectivity to Internet not managed by me)
> > >
> > >
> > >
> > > I want implement another network to publish some services, than on
the
> > > Enforcment I add a new Ethernet
> > >
> > >
> > >
> > > Eth3 (172.16.h.h)
> > >
> > >
> > >
> > > Now my lan Eth1 y.y.y.y go to internet via the Router of my
partner.
> > >
> > >
> > >
> > > I have another Router with a public IP address and I want publish
my
> new
> > > machines in the IP class 172.16.h.h via this Router.
> > >
> > >
> > >
> > > My question is... it's possible configure my Enforcment to Route
all
> the
> > > packet coming from 172.16.h.h, and only these, and that have
> destination
> > > public IP Addresses, to this Router?
> > >
> > > I Want continue to route the packets coming from my lan Eth1
> > > (172.31.y.y) to the Router of my partner and than route all coming
> from
> > > my new Eth3 (172.16.h.h) to the new Public IP.
> > >
> > >
> > >
> > > If it is possible and someone has similar config suggest me the way
to
> > > do this.
> > >
> > >
> > >
> > > Thanks.
> > >
> > >
> > >
> > > Mazzz
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > =================================================
> > > To set vacation, Out-Of-Office, or away messages,
> > > send an email to [EMAIL PROTECTED]
> > > in the BODY of the email add:
> > > set fw-1-mailinglist nomail
> > > =================================================
> > > To unsubscribe from this mailing list,
> > > please see the instructions at
> > > http://www.checkpoint.com/services/mailing.html
> > > =================================================
> > > If you have any questions on how to change your
> > > subscription options, email
> > > [EMAIL PROTECTED]
> > > =================================================
> >
> >-----BEGIN PGP SIGNATURE-----
> >Version: GnuPG v1.2.5 (MingW32)
> >Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> >
> >iD8DBQFFrkxyPVyB00VJC9cRAh6nAJ9vh2YRT3xVTZ9wG/kEo9GBqXoD4ACdFZS3
> >ZmT+alBL1LGuJoItfZAhrSw=
> >=ZSog
> >-----END PGP SIGNATURE-----
> >
> >=================================================
> >To set vacation, Out-Of-Office, or away messages,
> >send an email to [EMAIL PROTECTED]
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list,
> >please see the instructions at
> >http://www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your
> >subscription options, email
> >[EMAIL PROTECTED]
> >=================================================
>
> _________________________________________________________________
> Aggiungi i tuoi nuovi contatti di Hotmail anche in Messenger.Con un
click!
> http://join.msn.com/hotmail/features-std#6
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
>
--
Sergio Alvarez
(506)8301342
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
