That seems unwieldy. If I have it right, in FW-1 (4.1 SP-6):
1) I'll have to define the 3 vLAN networks (directly connected by a router ;>). 2) I'd imagine the firewall wouldn't be able to control access between the vLANs, but I'll have to define back and forth rules between vLANs anyway. 3) Then I'll have to make back and forth address translations between vLANs .2 and .3, .2 and .4, .3 and .4, etc? Not to mention the DMZ as well, in which I'll also have to define address translation between the DMZ and each of the 3 vLANs. How do big companies manage this with hundreds of /24 vLANs? I know that Merrill Lynch uses all /24 vLANs and Checkpoint, I wonder if their rulebase is 1gb! Chris -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST@;beethoven.us.checkpoint.com] On Behalf Of Hal Dorsman Sent: Thursday, November 14, 2002 3:23 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] need to define all LAN networks? They would only be treated as a subset of 192.168.2.0 if they were included in the same network based on netmask 255.255.0.0. That you couldn't do in your case since one network 2.0 is directly connected and 3.0 and 4.0 are not. So, yes, you would need to define objects and NAT rules for these networks, as well as provide static routes in the OS pointing to the gateway routers. Hal Hal Dorsman Network Administrator Rocky Mountain Elk Foundation Missoula, Montana USA [EMAIL PROTECTED] (406)523-4576 > -----Original Message----- > From: Chris Covington [mailto:ccovington@;PLUSONE.COM] > Sent: Thursday, November 14, 2002 11:17 AM > To: [EMAIL PROTECTED] > Subject: [FW-1] need to define all LAN networks? > > > Hi all, > > Let's say I have 3 routed /24 subnets in an internal network, > 192.168.2.0, 192.168.3.0, 192.168.4.0, with the router having an IP of > 192.168.2.1 (and 192.168.3.1, 192.168.4.1). The firewall is > 192.168.2.2. > > 192.168.2.0 is connected to eth-s3p1c0, is defined in FW-1, and I've > configured the static routes between the networks in Voyager (on the > IPSO platform). > > Do I also need to define the other 2 networks in FW-1, & NAT rules > between them, etc. or will they be treated as a subset of the > 192.168.2.0? > > Chris > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
