CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8, 7/6, 8/3.
2. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > Installing And Upgrading
Gateway swap Gateway swap
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2007-03-21
Junior Member
  
Join Date: 2007-03-11
Posts: 10
Rep Power: 0
K2Technologies has an average reputation (10+)
Default Gateway swap
I have an existing Nokia IP 350 running IPSO 3.8 that I am trying to replace with a Dell 1850 running SPLAT R60 (HFA05).

Each box has its own internal IP address (172.24.1.14 Nokia - 172.24.1.15 SPLAT). The other connections; two for our external Internet connectivity and one for a DMZ are the same between each gateway. When I move the connections to the new gateway, I get nothing. No DMZ connectivity, no Internet access. Sv Tracker appears to be showing the traffic flowing, I've updated my internal core router (Cisco 6509) for the routes to the new gateway and I've even cleared the ARP cache on my edge routers to my ISP. Nothing.

Policy loads fine with no errors - what am I missing to make this change?
Reply With Quote
  #2 (permalink)  
Old 2007-03-22
Senior Member
  
Join Date: 2007-01-18
Location: London
Posts: 375
Rep Power: 2
MarioL has an average reputation (10+)
Default Re: Gateway swap
Can you reach the DMZ and out to the internet fine on the new gateway?

The old gateway disconnected when you are testing, right?
Reply With Quote
  #3 (permalink)  
Old 2007-03-22
Junior Member
  
Join Date: 2007-03-11
Posts: 10
Rep Power: 0
K2Technologies has an average reputation (10+)
Default Re: Gateway swap
No I cannot reach the DMZ hosts or the Internet. I can reach those interfaces on the gateway, but nothing beyond that.

The original gateway is disconnected, I clear the ARP cache on the routers involved and Sv Tracker shows log info that indicates that it is passing the traffic though I get nothing.
Reply With Quote
  #4 (permalink)  
Old 2007-03-22
Junior Member
  
Join Date: 2005-10-17
Location: Aberdeenshire
Posts: 2
Rep Power: 0
Calumski has an average reputation (10+)
Default Re: Gateway swap
Quote:
Originally Posted by K2Technologies View Post
No I cannot reach the DMZ hosts or the Internet. I can reach those interfaces on the gateway, but nothing beyond that.

The original gateway is disconnected, I clear the ARP cache on the routers involved and Sv Tracker shows log info that indicates that it is passing the traffic though I get nothing.
Are you getting ARP entries on the edge routers and devices connected to the SPLAT fw?
Reply With Quote
  #5 (permalink)  
Old 2007-03-26
Junior Member
  
Join Date: 2007-03-11
Posts: 10
Rep Power: 0
K2Technologies has an average reputation (10+)
Default Re: Gateway swap
Yes, I am getting arp entries on the new Gateway
Reply With Quote
  #6 (permalink)  
Old 2007-03-26
Senior Member
  
Join Date: 2006-11-23
Posts: 159
Rep Power: 3
antonyso88 has an average reputation (10+)
Default Re: Gateway swap
I am thinking you may using NAT in your DMZ. How about from your internal to DMZ? Can it accessible? Make sure you have checked the NAT properties option.

Moreover, for simply troubleshooting, i recommend you create a ANY-ANY accept policy to troubleshoot the networking. I think the problem is networking more than the firewall problem.
Reply With Quote
  #7 (permalink)  
Old 2007-03-26
Junior Member
  
Join Date: 2007-03-11
Posts: 10
Rep Power: 0
K2Technologies has an average reputation (10+)
Default Re: Gateway swap
It works:

I moved the (internal) routes and everything else to the new gateway once again. This time I let it sit and did not switch back after 10 minutes as I had been doing even after clear the arp caches of all the network devices I have access to.

I came back 35 minutes later to find everything passing through the new gateway without issue. I guess all that was needed was patience.

What a pain in the gazooker.
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT -7. The time now is 01:22.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.4
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.2.0