Secondary IP on VLAN interface

[jeremiahnz]

Hi all,

We have a customer with a VLAN and subnet behind our checkpoint firewalls (VPN-1 Pro Gateway NGX R60_2 in HA mode). They have now outgrown their assigned subnet and want another. For billing purposes and preservation of VLAN's (we run a reasonably large internal network), we want to just put the secondary subnet on the same VLAN as they are currently using.

I have logged onto the firewalls and configured a secondary IP address for the VLAN, however, in Smartdashboard I am unable to retrieve the topology for the secondary interfaces, and therefore cannot add the cluster interface. I have read in other posts that this is the expected behavior. Therefore my questions is, how do I add the cluster address for the secondary interface?

I also understand that I will come up against some anti spoofing issues in this configuration. Currently our anti spoofing is based upon topology. I would rather not manually define every network behind the firewall. Is there any way of achieving what I want?

[mcnallym]

What platform are you on. I have done this on a Nokia before so it is possible on a Nokia, just manually configured the VRRP and then manual NAT using the cluster IP address. I didn't actually define a cluster address in the object. I needed to add the cluster interface manually into the VRRP rule as well to make that work. I was however only routing via that additional subnet I did not do anything where it actually needed to talk to the firewall or VPN.

You need to manually configure the anti-spoofing for that VLAN interface however as topology update will not retrieve anything other then the first interface as you are aware. This forces you to either manually configure the anti-spoofing or make sure that only use 1 IP address for an interface.

You can still get the other interfaces using the get interfaces with topology, you just need to manually do the one interface.

[jeremiahnz]

Thanks for your response.

The platform is SPLAT.

I have tried to manually add the cluster IP and Secondary IP information into the topology for the cluster. However, when I use the Get Topology button it removes my manual entries.

I'm not sure how else I could configure the VRRP manually as you suggested.

My issue sounds to be the similar to this [fw1-gurus] SPLAT & multi ips/subnets per interface?
which also makes it sound like there are some differences to how this is achieved (if possible) on SPLAT vs Nokia platform.

[mcnallym]

I don't atcually define another interface on the Cluster object.

In the topology where you specify what is behind that interface you ensure that it includes the secondary subnet. That needs to be done manually as.

ie you find the interface for the vlan that the customer is assigned and instead of having the topology as defined by interface ip and subnet mask then you define as specific and then create a group that contains a network object for the original main ip subnet as well as a network object for the secondary ip subnet.

The anti-spoofing for the interface is thus seen as a group that has both IP subnets included in it.

[ntrlsur]

I have a question along the same lines. I am running r62 on IPSO 4.1. I have already created the seperate networks and the group that contains both subnet pairs. The problem I run into is when I go to edit the cluster topology I don't see a place where i can define the group. In the cluster enviroment also I would need to define a second ip address for both firewalls in the second subnet pair and I can't seem to do that either. Can you provide me with a push in the right direction?

[mcnallym]

On a cluster it depends upon if your Topology settings are still defined per member or on the cluster.

By this I mean in the topology section, you goto the edit, and you have the list of interfaces with the cluster ip, followed by the member1 followed by member2.

Select the Cluster IP address, right click Edit Interface, and you may see a topology tab, if so you can set the group as what is behind the interface. If there is no topology tab then you will need to do this on the members IP addresses instead.