Steve, Thank for your reply and patience in explaining in such detailed and concise manner. Sometime, I wish the documentation was good as your response.
Thanks to everyone else who replied too... It actually worked as soon I had the ISP make the change. -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Stephen Bourike Sent: Monday, June 30, 2008 4:25 PM To: [email protected] Subject: Re: [FW-1] non-continuous Public Address ranges in SPLAT...Cluster XL Hi Sal Assuming you are retaining your original range, which is what my original response assumed, you need to go back to the ISP and ask them to change the router configuration. You DON'T want a secondary interface on the router (either as a sub-interface or using a separate physical interface on the router). You need them to simply route the whole of the new block of addresses from your router on to the external VRRP address of the cluster. So, lets try to help with an example: Assuming your original allocation was 81.10.1.32/28 (ie you have addresses 81.10.1.33 - 81.10.1.46 available for use). You have allocated them as follows: 81.10.1.33 - ISP Router 81.10.1.34 - some NAT'd server 81.10.1.35 - some NAT'd server 81.10.1.36 - some NAT'd server 81.10.1.37 - some NAT'd server 81.10.1.38 - some NAT'd server 81.10.1.39 - some NAT'd server 81.10.1.40 - VRRP/Cluster address of cluster 81.10.1.41 - Address of cluster HA1 81.10.1.42 - Address of cluster HA2 81.10.1.43 - some NAT'd server 81.10.1.44 - some NAT'd server 81.10.1.45 - some NAT'd server 81.10.1.46 - some NAT'd server Now you ask the ISP for another 16 addresses and they provide you with 82.11.20.64/28 (82.11.20.64 - 82.11.20.80) What you want is for the ISP to add a static route to your local router (81.10.1.33) as follows: 82.11.20.64/28 via 81.10.1.40 This is ALL you need. No additional interfaces on the router, cluster or anywhere else. No extra VRRP or cluster addresses. You don't even need to add routes on the cluster (if it's Nokia) for the NAT targets, although I still prefer to do this as the comment field allows extra information to be recorded for debugging later. No ISP should have a problem with this configuration. This is the easiest way to simply add addresses for use as bastion server NAT's (they'll work fine for both Hide and Static NAT entries). Hope this clears up your block. Mail again if you need any more help. Steve On 30/6/08 21:55, "Previtera, Sal" <[EMAIL PROTECTED]> wrote: > > Thanks Steve for you reply... > I understand the NAT portion and agree but I am having a "mental block" > right now on the basic TCP/IP. > > The ISP Upstream router is using the first IP address of this new block > of addressees ... I can get to it that far. > > When you say > " > When you get a new block of addresses, you simply need to get your ISP > to > route the new block to the external address of your firewall. If you > have > an HA pair, that would be the VRRP address of the external interfaces. > " > > Do you mean have it route it to the old (original) VVRP address since I > do have HA pair? > > Or > > Do I need to add a secondary IP (alias) address to the external > interface on each gateway in the cluster since it already has an IP > address assigned from the original range? > > I am getting confused because I keep thinking that something in the > firewall cluster need to be configured with this new IP scheme in order > to route correctly. > > Thanks, > Sal. > > > -----Original Message----- > From: Stephen Bourike [mailto:[EMAIL PROTECTED] > Sent: Monday, June 30, 2008 2:59 PM > To: Mailing list for discussion of Firewall-1; Previtera, Sal > Cc: Stephen Bourike > Subject: Re: [FW-1] non-continuous Public Address ranges in > SPLAT...Cluster XL > > > Sal > > There is nothing magical or difficult about this - you simply need to > separate the networking from the NAT in your head. > > The Check Point documents and certification courses (and many other > vendors > documentation and training) imply that the routing and NAT for public > addresses are intrinsically linked. Indeed, the advent of simplified > policies and automatic ARP for NAT makes it seem even more like they are > one > and the same thing. > > They are NOT. > > The firewall (any firewall) can NAT any packet that passes through it. > The > important part of this last sentence is the "that passes through it". > NOT > "that it has an arp for" or "that is contiguous with the address block > on > the external interface" or anything else. > > When you get a new block of addresses, you simply need to get your ISP > to > route the new block to the external address of your firewall. If you > have > an HA pair, that would be the VRRP address of the external interfaces. > > This will bring the traffic to your firewall. From there, you need ONLY > have NAT rules that control the translations that you need. > > YOU DO NOT NEED TO DO ANYTHING WITH AUTOMATIC OR PROXY ARPs !! > > Simple huh ! > > Oh, and best of all, you DON'T lose the network and broadcast addresses > from > that routed subnet, so you get an extra couple of free addresses to boot > ! > > Hope that this helps. > > > Steve Bourike > Applied Security Consulting Limited > htp://www.appliedsecurity.co.uk > > > On 30/6/08 20:10, "Previtera, Sal" <[EMAIL PROTECTED]> wrote: > >> Hello, >> Possibly this may have been discussed before, if anyone can give me >> hints or point to the right documents will be greatly appreciated; >> >> We have run out of Public IP address in our range we had on the > Internet >> side, so we had to purchase additional IP address. >> But the range is not continuous from our previous ones; >> >> 1. How do we add the addition IP range to be recognized by the >> Checkpoint FW cluster, since it will be used to translate additional >> host inside. Do I add a secondary IP address to the external Interface >> within this new range, on each of gateway on the Cluster? >> 2. Do I need to create an additional Virtual IP address for the >> Cluster on this new range? >> >> Thank you all for your input.... >> >> >> >> >> >> Scanned by Check Point Total Security Gateway. >> >> >> >> ================================================= >> To set vacation, Out-Of-Office, or away messages, >> send an email to [EMAIL PROTECTED] >> in the BODY of the email add: >> set fw-1-mailinglist nomail >> ================================================= >> To unsubscribe from this mailing list, >> please see the instructions at >> http://www.checkpoint.com/services/mailing.html >> ================================================= >> If you have any questions on how to change your >> subscription options, email >> [EMAIL PROTECTED] >> ================================================= > > Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
