New subnet issue?

[bstamper]

I currently have a checkpoint firewall that connects to a Cisco router that connects to a T-1. We have a /28 off that T-1 from Qwest right now. We're upgrading that T-1 to a bonded pair of T-1's and getting another subnet. So now I'll have the /28 and the /?? on the Fa0/0 on the router. So I’m adding a couple physical interfaces to the current checkpoint that will handle this subnet. So right now on the checkpoint the /28 exists on eth0 and eth1 is the LAN.

Going forward the /?? (new subnet) will exist on eth3 and a new dmz (private addressing) will be created on eth4 (3 and 4 the newly added interfaces). I'll need to static NAT from the /?? addresses to the dmz.

My question is how do I handle the default routing with the new /?? subnet on interface eth3. Right now the box has a default gateway for the current /28 tied to eth0 that sends traffic to the /28 interface on the Cisco router. I can't add another default gateway and tie it to the eth3 interface can I? It didn't appear that I could. My other thought is it will just work cause the dfgw is sending traffic to the same upstream router it needs to go to anyway. My only fear is that it wont come from the /?? Address its supposed to?

[melipla]

Quote:

My question is how do I handle the default routing with the new /?? subnet on interface eth3. Right now the box has a default gateway for the current /28 tied to eth0 that sends traffic to the /28 interface on the Cisco router. I can't add another default gateway and tie it to the eth3 interface can I?

You can tie another default route to an IP that's in eth3's subnet but the firewall will only use one default route so it won't work as you're expecting it to. Irregardless it'd be a "connected" network so really no route is needed, the firewall just knows that subnet exists out that interface.

Quote:

My other thought is it will just work cause the dfgw is sending traffic to the same upstream router it needs to go to anyway. My only fear is that it wont come from the /?? Address its supposed to?

It won't come from /?? address but that's the wonderful thing about routing--in most cases it doesn't have to.

I'm not the best at network design, but I'll tell you how I would do it and hopefully that will answer some of your questions.

Lets pretend 10.1.1.0/28 is the network block you got originally from your ISP [Qwest], you use it for your firewall/LAN because its a real IP and routable.
Fa0/0 IP: 10.1.1.14
Firewall IP: 10.1.1.1
LAN NAT IP: 10.1.1.2
Firewall default gateway: 10.1.1.14

Now you get a second IP space, lets say 10.1.1.16/28, from your ISP because you want to make a DMZ. Now you want the DMZ to hang off of your firewall, but to use private IPs, lets say 192.168.1.16/28 for your DMZ. To do that, I'd put a route on your cisco router that says:
ip route 10.1.1.16 255.255.255.248 10.1.1.1
The firewall will see the packet and say "I NAT this address" so it will use NAT rule 10 that says 10.1.1.18 is equal to 192.168.1.18. Once it NATs the IP the firewall will know it's directly attached to eth3 because eth3's IP is 192.168.1.17/28. To go through this in reverse, your DMZ machine wants to go to www.google.com, so 192.168.1.20 will route to its gateway of 192.168.1.17 which is the firewall. The firewall will NAT that to 10.1.1.20 and say www.google.com is out my default route which is 10.1.1.14. The cisco will then say www.google.com is out my default route which is the ISP's other side of the T1, etc etc.

It can be that simple.

There are things that can complicate this, like if your ISP wants your new bonded T1 to have this address space, generally transit networks (such as your T1) use different IP subnets. If you must use this subnet on your T1 interface then look at getting another /28 to use for your DMZ.

Basically what I'm saying is that you don't need to create a new connection between your cisco and firewall in order to route this network for your DMZ--you should be able to use the existing connection that's there.

[bstamper]

Quote:

Lets pretend 10.1.1.0/28 is the network block you got originally from your ISP [Qwest], you use it for your firewall/LAN because its a real IP and routable.
Fa0/0 IP: 10.1.1.14
Firewall IP: 10.1.1.1
LAN NAT IP: 10.1.1.2
Firewall default gateway: 10.1.1.14

I have a question on this? Why would my LAN NAT IP be in the same subnet as my External in the scinero above? Was that a typo?

So on my firewall I would have eth0 (external) and on this interface i'd have IP 10.1.1.1 with a dfgw of 10.1.1.14 (router). Assuming the above was a typo my lan would be 192.168.0.0/24 using dynamic nat to get out. This is the way things are right now I tihnk. When i get the other subnet your saying rather than house it on the router, route it to the firewall and put nat rules on to nat the 10.1.1.16/28 addresses from eth0 to eth3 where the 192.168.1.16/28 lives. In this scinero i'd use 3 physical interfaces:
eth0 would be external and house the 10.1.1.0/28 and the 10.1.1.16/28
eth1 would be the LAN the lan dynamically nated from 10.1.1.0/28
eth3 would be the DMZstaticly nated from 10.1.1.16/28 (eth0) and be 192.168.1.16/28?

Now on the way back out of the dmz the traffic would go from eth3 to eth0 interface and get sent via the dfgw to the router at 10.0.0.14. Yet it would appear its source address is from whatever 10.1.1.16/28 address.

This sounds great!! Hopefully i understood things correctly!! Things above may be redundant but i'm typing what i'm thinking. In this scinereo could i use 4 physical interfaces? I know i wouldn't need to but could i use:
eth0 10.1.1.0/28 as it is now
eth1 192.168.0.0/24 dynamic nat to lan
eth2 10.1.1.16/28 would be the new subnet
eth3 192.168.1.16/28 would be the nat dmz

If i did this would it have the same effect? Traffic would hit eth2 then use the dfgw from eth0 and head out to the router? There is a method to my madness. I'll hopefully be migrating away from everything that is eth0 and somewhat eth1 later on down the road.

I really do appreciate all of your help!!!

[melipla]

Quote:

I have a question on this? Why would my LAN NAT IP be in the same subnet as my External in the scinero above? Was that a typo?

Think of it as hide nat, instead of using the firewall's IP for hide nat you use a second one. Either way I was just using it as an example, it's not relevant to our discussion.

Quote:

So on my firewall I would have eth0 (external) and on this interface i'd have IP 10.1.1.1 with a dfgw of 10.1.1.14 (router). Assuming the above was a typo my lan would be 192.168.0.0/24 using dynamic nat to get out. This is the way things are right now I tihnk. When i get the other subnet your saying rather than house it on the router, route it to the firewall and put nat rules on to nat the 10.1.1.16/28 addresses from eth0 to eth3 where the 192.168.1.16/28 lives. In this scinero i'd use 3 physical interfaces:
eth0 would be external and house the 10.1.1.0/28 and the 10.1.1.16/28
eth1 would be the LAN the lan dynamically nated from 10.1.1.0/28
eth3 would be the DMZstaticly nated from 10.1.1.16/28 (eth0) and be 192.168.1.16/28?

Yes. If you were getting an extra network subnet this is how I would do it.

Quote:

Now on the way back out of the dmz the traffic would go from eth3 to eth0 interface and get sent via the dfgw to the router at 10.0.0.14. Yet it would appear its source address is from whatever 10.1.1.16/28 address.

The source address would be whatever you're nat'ing the eth3 private networks to, so yes.

Quote:

This sounds great!! Hopefully i understood things correctly!! Things above may be redundant but i'm typing what i'm thinking. In this scinereo could i use 4 physical interfaces? I know i wouldn't need to but could i use:
eth0 10.1.1.0/28 as it is now
eth1 192.168.0.0/24 dynamic nat to lan
eth2 10.1.1.16/28 would be the new subnet
eth3 192.168.1.16/28 would be the nat dmz

If i did this would it have the same effect? Traffic would hit eth2 then use the dfgw from eth0 and head out to the router? There is a method to my madness. I'll hopefully be migrating away from everything that is eth0 and somewhat eth1 later on down the road.

Yes, its essentially having a gateway with multiple external interfaces. You'd mark eth0 and eth2 as being "External" in the topology--I don't see why this wouldn't work. The only problem I could see is if your ISP is doing any type of anti-spoofing. If Qwest expects any traffic coming from eth0 to have a source IP of 10.1.1.0/28 and you start sending traffic out that port with source IP of 10.1.1.16/28 they may drop it. Just something to be aware of. If you're using the same ISP you can probably get them to allow it [if they are blocking it]. Otherwise you may have to use more advanced routing on the gateway to address this issue [like use SPLAT Pro].

HTH

[bstamper]

Thanks so much for all your help!! I'll be giving this a try soon!! I'll then post my findings.