Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
bradrmorris
Explorer
Jump to solution

Checkpoint 3000 Multiple Public IP Ranges

We are in the process of migrating off our existing firewalls to a Checkpoint XL Cluster.  We currently have 2 different Public IP Ranges from our ISP.  The interfaces of our existing firewall are assigned IPs from one ranges (range 1) as well as having other manual NAT Rules for IPs in this range.  We then have NAT Rules for IPs in the other range (range 2) that work even though we don't have any physical interfaces with IPs in this range. 

So far on the checkpoints I am only able to get NAT rules working for one IP Range which is the same range we are using on the Interfaces.  Is there a way to get our Second IP Range working without having to assign IP From that range to an interface?

0 Kudos
2 Solutions

Accepted Solutions
Chris_Atkinson
Employee Employee
Employee

Subnet1 sounds like it might be using Proxy-ARP.

Has Subnet2 been routed towards the firewall by the ISP?

CCSM R77/R80/ELITE

View solution in original post

0 Kudos
_Val_
Admin
Admin

@See the question below from @Chris_Atkinson 

I think routing is the issue here. That Cisco ASA there is not really helping. Why not routing all to CP FW?

View solution in original post

0 Kudos
8 Replies
_Val_
Admin
Admin

Please share the version is use. Also, a diagram with some (even bogus) IP addresses would help. From the description alone, it seems to be possible to achieve your goal, so it is unclear what is your actual issue. Please elaborate.

0 Kudos
bradrmorris
Explorer

Thanks _Val_,

 

We are running version R81.   We have also setup the Manual NAT rules for the IPs in the other range along with Proxy ARP entries, but this did not seem to help.  When running "fw ctl arp" I see an entry for NAT rules when the PUblic IP is in the range of our External Interface, but when I create a rule using a Public IP from our other range nothing ever shows up.

 

 

 

0 Kudos
_Val_
Admin
Admin

@See the question below from @Chris_Atkinson 

I think routing is the issue here. That Cisco ASA there is not really helping. Why not routing all to CP FW?

0 Kudos
bradrmorris
Explorer

Thanks _Val_,

 

I might need to reach back out to the ISP.  My understanding is that the ISP's device didn't have routes to our devices, but I might need to confirm that.  We were trying to have the ASA and Checkpoint up in parallel and migrate things over.

0 Kudos
bradrmorris
Explorer

Hey _Val_

 

I believe I found what I was missing.  I was reading up more on Proxy ARP and found that we needed to have the setting "Merge manual proxy ARP Configuration" enabled under global properties, and we did not.  Once I enabled this everything started working as expected with the 2nd Range of Public IPs.  Thanks for your assistance.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Subnet1 sounds like it might be using Proxy-ARP.

Has Subnet2 been routed towards the firewall by the ISP?

CCSM R77/R80/ELITE
0 Kudos
bradrmorris
Explorer

Hey Chris,

 

I might have to reach back out to our ISP.  It was my understanding that the ISP's device didn't have routes to our devices, it was just a Gateway that we routed to.  When we assigned an IP to the Checkpoint device it worked instantly without a route on the ISP device.  I am going to contact them to verify either way.  I wonder if I just need the right combination of Proxy-ARP and routs for the second range on our CP device.  Thanks.

0 Kudos
bradrmorris
Explorer

Hey Chris,

 

I believe I found what I was missing.  I was reading up more on Proxy ARP and found that we needed to have the setting "Merge manual proxy ARP Configuration" enabled under global properties, and we did not.  Once I enabled this everything started working as expected with the 2nd Range of Public IPs.  Thanks for your assistance.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events