CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8, 7/6, 8/3.
2. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > Installing And Upgrading
Migrating from R55 TO R61 Migrating from R55 TO R61
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2007-01-10
Junior Member
  
Join Date: 2006-05-23
Posts: 5
Rep Power: 0
devm69 has an average reputation (10+)
Default Migrating from R55 TO R61
Doing a migration from a r55 standalone windows 2003 to a R61 standalone 2003 which will have a different external Iand internal ip as want to run both side by side to test out prior to moving over. the original although a stanalone is also managing a remote module and has numerous vpn tunnels

Have done below and all seems to go well with no errors

on 1st box,
copy of live ng lics
upgrade_export

on 2 box,

install r61 as new install ( not upgrade) using same ip etc as 1st
after install upgrade_import
edit topology to reflect diff nics
set os etc
push policy
update to latest hfa for r61

edit ip for external
push policy

edit ip for internal
push policy

change online lics to new ips and upgrade to ngx
add via smartupdate
push policy

modify and objects with nat etc from old ip range
reset sic for remote enforcement incase it has issues with 2 live fw's trying to communicate with it.
disabled all vpn tunnels rules, but communities still created.
push policy

issue i have seems to either be nat related or topology based. can ping fw from a laptop on dummy internal net ok. fw can browse web ok. laptop cant access web although im sure i could earlier in install.

Does this seem possible or should i be going down another route.......

things i intend trying are

Windows 2003 hardening done prior to install, remove and leave until after install
install r55 with same ip etc then upgrade to r61
install splat on second box using r61 and import config again
on second box during initial cp install use imported config instead of new install


any opinions would be very helpfull.
Cheers
Reply With Quote
  #2 (permalink)  
Old 2007-01-10
Junior Member
  
Join Date: 2006-09-18
Posts: 19
Rep Power: 0
rayden69 has an average reputation (10+)
Default Re: Migrating from R55 TO R61
you might redo your anti-spoofing rules as if you changed the topology that could be your holdup. You may need to enable logging of implied rules and look at the smartview tracker.

Another area that could be now wrong is the ip address of the hiding ip (NAT) if it was statically set before the new external network would not work for that. You should look for the internal network object and see what it is nat'd to (or if it is in fact still nat'd). In your smart dashboard look under the NAT tab to verify what is being used. One easy thing to change it to is 0.0.0.0 which will hide all rfc1918 traffic destined for the internet behind the ip address of the gateway.

Lastly you may have an ARP/Proxy ARP issue although the previous workaround would resolve that since the gateway does arp for its own address automatically.

Let me know what comes of it and if you need more help!
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT -7. The time now is 12:17.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.4
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.2.0