1 External interface with 2 IP Addresses

[slash85]

Running Checkpoint with AI (R55)

Hi,

We recently got a new range of IP addresses off our ISP and have assigned two ips to our FW's external interface eg:

Previous IP: 194.178.51.60
Additional IP: 193.189.31.88 (both now on the same nic)

There is a different default gateway with the new range which we have also added to the card, so now we have:

194.178.51.60 255.255.255.240 dg: 194.178.51.59
193.189.31.88 255.255.255.224 dg: 193.189.31.87 (again both on the same nic)

We have another interface(wb1) in the FW which directly connects to a webserver(wb2).

wb1 192.168.34.1 255.255.255.0 dg: 193.189.31.88
wb2 192.168.34.14 255.255.255.0 dg: 192.168.34.1

wb2 has a NAT of 193.189.31.89.

We just have a simple rule in place for now to allow a single static external address to ping 193.189.31.89 but with no success, nothing even shows in the logs.

Internally this all works like a DMZ segregating the webserver off from the main network.

Is this supported? Have I missed something? Have I made any sense?

Thanks for any help,
Slash.

[MarioL]

What platform are you running on?

Have you tried to do that in the firewall object, under the ISP tab?

[slash85]

Hi,

I'm Running Windows 2003 Server. The way i've assigned multiple ips to one NIC was through TCP/IP properties. Do i need to assign this within checkpoint somewhere as well?

Thanks for the reply,

Slash.

[chillyjim]

Yes you need to add the IP addresses into the gateway's topology

[slash85]

Nice 1 i'll give this a try on Monday

[slash85]

Hi,

How can i add this into topology as when i try is says the interface name must be unique? Do i just make up and interface name even tho it states it must match the operating system name exactly?

In topology we have:

q57w2k9 194.178.51.60 255.255.255.240 External

And i've tried to add:

q57w2k9 193.189.31.88 255.255.255.224 External


Thanks for any help,
Slash.

[MarioL]

On all operating systems (except windows I think) when you do this you get a virtual interface, which then gets properly imported by Check Point when you do "Get Topology".

Have you tried doing a "Get Topology" since you configured the new IP? Bear in mind that it clears the anti-spoofing config.

[slash85]

Hi MarioL,

Just tried this but it only picks up the orginal address not both or any kind of virtual interface.

Any other ideas?

Thanks,
Slash.

[MarioL]

Hi slash85,

Just re-read all of this. Do you have 2 routers from the same ISP? Or do you only have 2 lines or 2 address blocks?

If the later is the case you don't need to configure more external IP addresses, you can just add a route in your external router to send all the IPs on the new subnet to the firewall's external interface. This means you can then use all the addresses for NAT, etc... even the usual network and broadcast.

If you have 2 routers you could also theoretically use the same address space externally and just assign one of your old external IPs to that new router.

Can you describe a bit better what you want to obtain? I know I'm going out at a tangent here, but after reading it better I realized we might be trying to "fix" the wrong problem.

So I guess I'm kind of answering with questions, but...
Do you have specific restrictions on what you can do?
How many routers? How many lines? Apparently 2 dif. public IP subnets.
What is the ultimate goal?

[slash85]

Hi MarioL,

Yes there are two external routers from the same ISP which we have no control over all manged by them, both with different subnets. And yes we have two block of addresses the old and new.

Do you think that maybe the 2nd router is forwarding traffic to the original external FW IP(194.178.51.60) and not 193.189.31.88? Maybe speak to the ISP?

All in all the ultimate goal is to have both old and new IP range working through the one external interface on the FW.

Thanks,
Slash

[MarioL]

OK, cool.

Considering this is windows, what I'd go for:
- Leave FW with only 1 external IP
- Get provider to configure internal interface of new router with a free IP from the existing public range (old)
- Get provider to route all the new subnet to the FW's external IP
- Configure 2 ISP lines in the Topology ISP bit

You will need to configure some manuals NATs for the servers to respond by 2 dif public IPs and possibly some tricky routing if you want to use both lines.

To be honest, windows is not the ideal platform to make the best of the 2 lines, since it doesn't support source routing AFAIK.