This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
bradrmorris
Explorer
‎2021-12-20 05:52 AM
Jump to solution

Checkpoint 3000 Multiple Public IP Ranges

We are in the process of migrating off our existing firewalls to a Checkpoint XL Cluster.  We currently have 2 different Public IP Ranges from our ISP.  The interfaces of our existing firewall are assigned IPs from one ranges (range 1) as well as having other manual NAT Rules for IPs in this range.  We then have NAT Rules for IPs in the other range (range 2) that work even though we don't have any physical interfaces with IPs in this range. 

So far on the checkpoints I am only able to get NAT rules working for one IP Range which is the same range we are using on the Interfaces.  Is there a way to get our Second IP Range working without having to assign IP From that range to an interface?

0 Kudos
2 Solutions

Accepted Solutions
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2021-12-20 06:51 AM
Jump to solution

Subnet1 sounds like it might be using Proxy-ARP.

Has Subnet2 been routed towards the firewall by the ISP?

CCSM R77/R80/ELITE

View solution in original post

0 Kudos
_Val_
Admin
Admin
‎2021-12-20 06:58 AM
In response to bradrmorris
Jump to solution

@See the question below from @Chris_Atkinson 

I think routing is the issue here. That Cisco ASA there is not really helping. Why not routing all to CP FW?

View solution in original post

0 Kudos
8 Replies
_Val_
Admin
Admin
‎2021-12-20 06:34 AM
Jump to solution

Please share the version is use. Also, a diagram with some (even bogus) IP addresses would help. From the description alone, it seems to be possible to achieve your goal, so it is unclear what is your actual issue. Please elaborate.

0 Kudos
bradrmorris
Explorer
‎2021-12-20 06:45 AM
In response to _Val_
Jump to solution

Thanks _Val_,

 

We are running version R81.   We have also setup the Manual NAT rules for the IPs in the other range along with Proxy ARP entries, but this did not seem to help.  When running "fw ctl arp" I see an entry for NAT rules when the PUblic IP is in the range of our External Interface, but when I create a rule using a Public IP from our other range nothing ever shows up.

 

 

 

Preview file
64 KB
0 Kudos
_Val_
Admin
Admin
‎2021-12-20 06:58 AM
In response to bradrmorris
Jump to solution

@See the question below from @Chris_Atkinson 

I think routing is the issue here. That Cisco ASA there is not really helping. Why not routing all to CP FW?

0 Kudos
bradrmorris
Explorer
‎2021-12-20 07:24 AM
In response to _Val_
Jump to solution

Thanks _Val_,

 

I might need to reach back out to the ISP.  My understanding is that the ISP's device didn't have routes to our devices, but I might need to confirm that.  We were trying to have the ASA and Checkpoint up in parallel and migrate things over.

0 Kudos
bradrmorris
Explorer
‎2021-12-20 01:35 PM
In response to _Val_
Jump to solution

Hey _Val_

 

I believe I found what I was missing.  I was reading up more on Proxy ARP and found that we needed to have the setting "Merge manual proxy ARP Configuration" enabled under global properties, and we did not.  Once I enabled this everything started working as expected with the 2nd Range of Public IPs.  Thanks for your assistance.

0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2021-12-20 06:51 AM
Jump to solution

Subnet1 sounds like it might be using Proxy-ARP.

Has Subnet2 been routed towards the firewall by the ISP?

CCSM R77/R80/ELITE
0 Kudos
bradrmorris
Explorer
‎2021-12-20 07:27 AM
In response to Chris_Atkinson
Jump to solution

Hey Chris,

 

I might have to reach back out to our ISP.  It was my understanding that the ISP's device didn't have routes to our devices, it was just a Gateway that we routed to.  When we assigned an IP to the Checkpoint device it worked instantly without a route on the ISP device.  I am going to contact them to verify either way.  I wonder if I just need the right combination of Proxy-ARP and routs for the second range on our CP device.  Thanks.

0 Kudos
bradrmorris
Explorer
‎2021-12-20 01:35 PM
In response to Chris_Atkinson
Jump to solution

Hey Chris,

 

I believe I found what I was missing.  I was reading up more on Proxy ARP and found that we needed to have the setting "Merge manual proxy ARP Configuration" enabled under global properties, and we did not.  Once I enabled this everything started working as expected with the 2nd Range of Public IPs.  Thanks for your assistance.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events