Multiple registered subnets, one ext interface

[pvtjoker27]

Need some help on this -

We have a deployment that is moving 3 registered subnets (formerly on 3 different FW's with 2 ext facing interfaces) to 3 registered subnets on a single NGX cluster.

Let's call the registered nets: 64.x.x.x (the subnet the ext interface of the CP is on), 191.x.x.x and 11.x.x.x.

The incoming "pipes" are aggregated via a fatpipe warp device - this device has 3 logical interfaces which connect via one physical interface to a switch - this is the switch which our single IPSO/CP NGX R60 external interface will connect.

We have internal devices that need to statically map to addresses on all three registered subnets. On our old FW solution, this wasn't a problem - it recieved a request for an address on the 191, 64 or 11 and simply passed it along to the internal host that was specified.

My question is this - does Checkpoint behave the same way?If I create a static NAT entry for an internal host, can it be on any of the three registered subnets, or does it have to be on the ext interface subnet (64.x.x.x)? Will the automatic functions cover the arp issues?

If not - any clues as to how to do this?

[RobertGraham]

As long as you register one IP from each network on the external interface, it should be possible to do exactly what you need.

However, I don't know about using the fatpipe device you speak of. You might have problems getting Check Point to realize that one interface is on three different networks. Is it safe to guess that you can't supernet them?

[theoracle]

It should work fine with your 3 registered addresses. The arp issues are handled transparently by the Checkpoint modules.