Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sys_Admin
Participant
Jump to solution

Network range and routing

Hello,

 

1st of all, i'm new to checkpoint, and i don't have much time for digging into it, hence the probably easy question i'm going to ask.

 

So, we've got this new firewall in our MPLS environment, R77.30 on open server.

Everything was more or less set up by our MPLS provider who has handed it over to us without much information.

So here's my issues.

We've added a new branch office wich is connected through the MPLS (i can reach it without issue from my office, so routing is ok inside the MPLS), however i can't reach it from the firewall.

my routing table is like this -and no other route-

10.0.0.0/8 > via 10.201.1.254

on the subnets in the range, that were created before, i can traceroute them to the next hop, on my new subnet (in 10.XXX.XXX.XXX too) i can't reach the next hop, also, i don't have the route populated in the vpn.


So obvisouly, i'm missing something there, i've tried to check documentation and forumq, but as a day to day sysadmin, i can't really have enough time to check toroughtly.

Coudl someone point me to the right direction or right documentation page ?

Many thanks,

1 Solution

Accepted Solutions
Maarten_Sjouw
Champion
Champion
Go into tracker and see if you can filter on source (the network of the new location) like 10.10.10.0/24 and you will probably see that you have only drops for that traffic, it depends on hoe they set it up but I can imagen that they identified all networks separately and entered al of them, in either Spoofing on the WAN interface (the one connecting to the MPLS router) or they only allowed the specified networks access in and out.

When you see anti-spoofing errors, you need to add the new site range to the group that is on the interface leading to the MPLS router.
Regards, Maarten

View solution in original post

2 Replies
Maarten_Sjouw
Champion
Champion
Go into tracker and see if you can filter on source (the network of the new location) like 10.10.10.0/24 and you will probably see that you have only drops for that traffic, it depends on hoe they set it up but I can imagen that they identified all networks separately and entered al of them, in either Spoofing on the WAN interface (the one connecting to the MPLS router) or they only allowed the specified networks access in and out.

When you see anti-spoofing errors, you need to add the new site range to the group that is on the interface leading to the MPLS router.
Regards, Maarten
Sys_Admin
Participant
That was it undeed, there was a group named after a fw interface that included all other networks.
Many thanks for your help.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events