Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Copper

I need help with routing

So i need to configure routing on my 1100 firewall and below is the information i have for the configuration-

 

Site subnet:  10.40.3.X/24

 

Eth LAN2 (vlan20 –secured): 10.40.3.21/29; dgw= 10.40.3.20/29  (int Gi0/2)

Eth LAN5 (vlan 10 - unsecured): 10.40.3.11/29, dgw = 10.40.3.10/29 (int Gi0/1)

 

Source network:

216.152.218.X/32

 

Destination networks:

Checkpoint Portal/Blade - https://10.169.90.4/sslvpn

                149.122.13.X/32

                149.122.13.X/32

                149.122.13.X/32

 

So what would be the command on cli since i only have console access to configure routing?

 

Fo reference below is the routing configuration for another 1100 appliance and i was told that the routing should be similar to this one-

 

# Static routes
delete static-routes
add static-route service Any destination 10.0.0.X/8 nexthop gateway ipv4-address 10.43.1.20" metric 0
set static-route 2 service Any destination 10.0.0.X/8 nexthop gateway ipv4-address 10.43.1.20 metric 0 disabled false
add static-route service Any destination "216.152.218.X/32" nexthop gateway ipv4-address "10.43.1.X" metric "0"
set static-route 3 service Any destination "216.152.218.X/32" nexthop gateway ipv4-address "10.43.1.X" metric "0" disabled "false"
add static-route service Any destination "149.122.0.X/16" nexthop gateway ipv4-address "10.43.1.X" metric "0"
set static-route 1 service Any destination "149.122.0.X/16" nexthop gateway ipv4-address "10.43.1.X" metric "0" disabled "false"

 

I cannot figure out what the destination network should be as is shown for above configuration, just keeps showing error and so whenever i try out something.

0 Kudos
8 Replies
Highlighted
Copper

maybe the destination network has to be any or something?

0 Kudos
Highlighted
Sapphire

Can you rather  draw a network plan ?  I seem not to be able to figure it out from what you wrote...

0 Kudos
Highlighted
Copper

so the config that you see is what i received from the telecom team, and this firewall is connected to a switch where the lan 2 port of the firewall is connected to the gi0/2 port of the switch and the lan5 pot is connected to gi0/1 of the switch as shown in the config below, i know that the writing is a bit confusing but yeah thats the info i received-

Eth LAN2 (vlan20 –secured): 10.40.3.21/29; dgw= 10.40.3.20/29  (int Gi0/2)

Eth LAN5 (vlan 10 - unsecured): 10.40.3.11/29, dgw = 10.40.3.10/29 (int Gi0/1)

 

All i need to configure is the routing for this firewall based on the above info, i tried the add static-route.....

command yesterday but it showed some kind of error, i will try out something today as well to see if it works or not,

so what i beleive is there should be 2 statements for the routes based on the above info. What im planning to implement today is the below commands hopefully they should work-

set static-route 1 service any destination any source 10.40.3.21/29 nexthop gateway ipv4-address 10.40.3.20 disabled false metric 0
set static-route 2 service any destination any source 10.40.3.11/29 nexthop gateway ipv4-address 10.40.3.10 disabled false metric 0

And as i mentioned for reference you can look at the routing config for the other 1100 firewall that i shared in the op which does have specific destinations by the way for the static routes.

 

0 Kudos
Highlighted
Copper

And this part here below i implemented it as a rule in a policy-

 

Source network:

216.152.218.X/32

 

Destination networks:

Checkpoint Portal/Blade - https://10.169.90.4/sslvpn

                149.122.13.X/32

                149.122.13.X/32

                149.122.13.X/32

0 Kudos
Highlighted
Copper

So those commands that i mentioned do not work apparently, maybe there is something wrong with what i chose for the source,dest,next hop ip values.

0 Kudos
Highlighted
Silver

add static-route service Any destination "149.122.13.X/32" nexthop gateway ipv4-address "X.X.X.X" metric "1"

Obviously need to replace the X with actual number required which obviously we don't have.

We won't know the next hop address on your network so cannot tell you what the X need to be

0 Kudos
Highlighted
Copper

so the next hop is the dgw specified in my post

0 Kudos
Highlighted
Copper

The firewall is on version R77.20 by the way.

0 Kudos