This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
BrianD
Participant
‎2021-11-03 02:50 PM

Alias WAN IP not functioning

Our R81.10 appears to not allow us to add an public ALIAS IP address, that is on a different block from the primary WAN IP.

We have several additional public IPs successfully attached to our ETH1 (external) interface via the ARP feature. However, we have some public IPs that are on a different block which requires those to be added as ALIAS's to the ETH1 interface.

The following is what I did, maybe I missed something?

1. logged into the Gaia web interface and added an ALIAS with member of ETH1 and provided the IP and subnet.

2. Went in SMARTCONSOLE and synchronized the topology which DID NOT see the ALIAS object we created in step 1.

3. Insite the SMARTCONSOLE object explorer, I created a HOST object with the public IP from step #1.

4. Created a NAT rule to forward traffic on a specific port from ANY, TO the ALIAS IP, translated to our test server on the original port.

5. Created a firewall policy to allow traffic to the ALIAS IP with any any.

Labels
0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2021-11-03 06:16 PM

Gateway objects only care about the physical interfaces and will ignore any aliases.
That is expected behavior.

If you use Automatic NAT rules, you don't need to create ARPs for anything (or shouldn't).
For the IPs that are aliased on your external interface, if the upstream router simply forwards those IPs to your gateway, you won't need the alias IPs either.

0 Kudos
BrianD
Participant
‎2021-11-05 02:52 PM
In response to PhoneBoy

Unfortanetly, we have to specify gateways on our other routers within the colo.

I have a new block of 32 IPs (/27) that I need to attach to the CP but can't get it to work. I've added an alias interface, attached to our ETH1 (internet), create the HOST object for that new public IP, then created the NAT and access control rules and get traffic to flow.

Since I normally need to specify a gateway on my other routers, how can I accomplish this on the CP? Adding an ALIAS with the right subnet mask, on our ETH1 interface is not doing the trick.

 

Thank you very much! Any information I can provide to help us please let me know.

0 Kudos
BrianD
Participant
‎2021-11-05 02:56 PM
In response to BrianD

Here's what the ALIAS Interface looks like.

2021-11-05_16-55-25.png

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2021-11-05 03:05 PM
In response to BrianD

Typically an alias interface shouldn't be required here. 

The adjacent device simply routes the subnet to your existing external interface and you configure NAT.

What is the configuration of the adjacent device that mandates the alias interface?

CCSM R77/R80/ELITE

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top