This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
victor
Explorer
‎2019-09-21 06:48 AM

How to have a secondary public ip on lan interface

hi we want to allocate some servers in our network public ips. We have a block of xx.xxx.xxx.216/29 public ips whereby 217 is the gateway from the ISP and 218 is our public ip for the external facing (eth2) interface of the firewall.We have a server that we want to allocate the 220 ip however when i try giving any of the public ips say the 219 as a secondary ip to the internal afacing interface (eth7) connected to the LAN so that it can act as my servers' (220) gateway i get an error "xxx.xxx.xxx.219/29 conflicts with destination network of eth2." where eth2 is the external facing interface (218).kindly assit on how to go about it.

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2019-09-21 07:11 AM

This can all be achieved through the NAT Policy.
Start with "Configuring the NAT Policy" in the product documentation.
https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_SecurityManagement_AdminGuid...
0 Kudos
victor
Explorer
‎2019-10-04 05:21 AM
In response to PhoneBoy

Hi I think i didn't express myself well enough so let me try again.

I want to have a server in my local area network configured with a public ip on one interface and a local ip on the other interface.i have therefore procured an extra set of public ips from my isp as follows 41.x.x.184/29.

We have the 41.x.x.185 as the isp router which is up and pingable from the internet.We have configured the 41.x.x.186 on one of our firewall interfaces (eth5) whereas our external interface is (eth2) and internal is (eth7). We have connected the server directly to the firewall on (eth5) interface and configured it with and ip of 41.x.x.187 and a gateway of 41.x.x.186.We have created the network object for 41.x.x.184/29 network and added to the network group (internal lans)that allows our internal networks to connect to the internet.We however cannot ping 41.x.x.185 from the server and we also cannot ping 41.x.x.186 form the internet,needless to say the server doesn't connect to the internet.what is it we haven't done correctly kindly assist.

 

 

0 Kudos
FedericoMeiners
Advisor
‎2019-10-04 05:36 AM
In response to victor

@victor 

You have a ARP problem. If I understand you right basically what is happening is that your firewall has a public IP on eth2, you did not specify but I guess that it's another prefix different that 41.x.x186/29.

When someone in the internet ask for your server (41.x.x.186) ARP must be resolved and your public interface on your firewall (eth2) doesn't know how to resolve it. Same happens when you set up a manual NAT with a different IP of the wan interface of your firewall.

You could try to sort this out by setting a Proxy ARP entry: When someone ask about 41.x.x.186 reply with eth2 MAC Address. After that maybe you will have to solve some default route issues with PBR.

Hope it helps

______

 

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events