How To Add a Subnet? (I thought it was going to be easy)

[its2cansam]

We (we'll call ourselves Company A) are currently running Checkpoint Firewall NG.

Another company (call them Company B) has moved into our office and we want to put them on a different subnet. We are using 10.0.1.x and want to put Company B on 10.0.50.x.

The IP address (interface) we are using for our CheckPoint Gateway is 10.0.1.2, and we also have a network defined for 10.0.1.0. To accomodate Company B, we added 10.0.50.1 as an additional interface on the CP Gateway, and have added a new network for 10.0.50.0. I added Company B's network to the Rule Base, verified it, and it checks out OK. In addition, pinging to 10.0.50.1 from our computers works fine.

However, when we changed the IP addresses on Company B's servers using 10.0.50.x addresses, we were unable to ping 10.0.50.1. Likewise, sending a ping from the firewall to any Company B server was unsuccessful. However, pinging to 10.0.50.1 from our computers still works!

Is there something I am missing or forgot to do? I thought that I would have to manually add a route to the routing table, but it looks like 10.0.50.0 is already in there.

Any response would be greatly appreciated.

[charlesdf23]

What OS are you running this on?

Did you fix your spoofing rules?

does the log viewer show anything?

[intehnet]

be sure to fix spoofing rules and that ICMP is allowed, pings aren't always the best test..

[its2cansam]

Thank you for the responses.

We have temporarliy placed all of Company B's servers and workstations on our subnet until we can figure out how to resolve this issue.

I did go through our logs and I found an entry that had the message, "message_info: Address spoofing". Here are the details I found:

Action - Drop
Protocol - UDP
Service - nbname (137)
Source - 10.0.50.225
Destination - 10.0.50.255
Information - message_info: Address spoofing

This entry looks like it has something to do with a broadcast address.

[czech12]

You need to go into your Firewall Object's Topology page and make sure that the 10.0.50.1 interface is defined in the topology. If it is not, you should be able to click on "Get... > Interfaces" ("Get... > Interfaces with topology" will wipe out any anti-spoofing config you currently have, if any) and that will query the firewall for it's interface names and IP addresses.

Once you have each of the firewall's interfaces listed in the Topology section, you can configure anti-spoofing for each of the interfaces by double clicking on the interface you want to edit. If the only network behind the 10.0.50.1 interface is the 10.0.50.x network, then you can just select "Network Defined by the interface IP and subnet mask", if there are more networks behind that interface, you will need to create a group with those network objects in it, then select "Specific" in the Topology section and select the group you created.

Hope this helps...

[jrdld]

It's worth double-checking all the subnet masks.

You should also check if the hosts on 10.0.50.x can ping 10.0.50.1.

JR