CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 2 of 2

Thread: Second Eternal IP Address Issues?

  1. #1
    Join Date
    2016-07-18
    Posts
    1
    Rep Power
    0

    Default Second Eternal IP Address Issues?

    My client has a Safe@Office 500 and I need to setup a second external IP for the purpose of Exchange 2003 to 2010 migration.

    Currently I have set the new Exchange box up as a Network Object with a Static Nat to the second IP address and opened 443 and 80.

    Initially I assigned assigned the new external to the WAN port as a secondary IP with connection type LAN. The gateway responded to the external IP on a sporadic basis and I noticed on the status indication from the Network->Internet tab it would connect for a minute or two and then drop, sometimes show as reconnecting and eventually showing a permanent state of "Establishing Connection".

    I now have moved the secondary IP on the WAN2/DMZ port and I'm still seeing sporadic response and a status of always "Establishing Connection". By sporadic I mean very slow response from 443 using a browser; Telnet to 443 and 80 failing most but not all of the time; ping timing out most of the time.

    My question(s):

    1) Is what I'm trying to do even possible with this appliance or is the secondary IP really only designed as a failover from the primary?
    2) If this is doable am I doing it correctly or is there something I am missing?
    3) If I am doing this correctly could it be a problem with the IP address itself and I need to WTF the ISP?

    Thanks,

  2. #2
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,651
    Rep Power
    10

    Default Re: Second Eternal IP Address Issues?

    Quote Originally Posted by dolson1157 View Post
    My client has a Safe@Office 500 and I need to setup a second external IP for the purpose of Exchange 2003 to 2010 migration.

    Currently I have set the new Exchange box up as a Network Object with a Static Nat to the second IP address and opened 443 and 80.

    Initially I assigned assigned the new external to the WAN port as a secondary IP with connection type LAN. The gateway responded to the external IP on a sporadic basis and I noticed on the status indication from the Network->Internet tab it would connect for a minute or two and then drop, sometimes show as reconnecting and eventually showing a permanent state of "Establishing Connection".

    I now have moved the secondary IP on the WAN2/DMZ port and I'm still seeing sporadic response and a status of always "Establishing Connection". By sporadic I mean very slow response from 443 using a browser; Telnet to 443 and 80 failing most but not all of the time; ping timing out most of the time.

    My question(s):

    1) Is what I'm trying to do even possible with this appliance or is the secondary IP really only designed as a failover from the primary?
    2) If this is doable am I doing it correctly or is there something I am missing?
    3) If I am doing this correctly could it be a problem with the IP address itself and I need to WTF the ISP?

    Thanks,
    Yeah, this is possible, but i don't think your doing it correctly. You made the static nat. I didn't catch if this was a manuel nat or automatic or of its a local policy only (not managed via smart center). The next step depends on how things are setup.

    If its automatic nat it should handle the proxy arp magically

    if its manual nat you'll need to edit $FWDIR/conf/local.arp
    format is
    IP MAC_ADDRESS

    replace IP with the 2nd IP and MAC_ADDRESS with the mac of the WAN interface (assuming this is the one you want to use).


    I'm assuming WAN has a static IP in this as well.

Similar Threads

  1. Fixing address spoofing issues.
    By jflemingeds in forum Firewall Blade
    Replies: 11
    Last Post: 2015-12-12, 20:32
  2. Can you set up a host oject based on the mac address instead of the ip address?
    By Spacetrucker in forum Check Point SecurePlatform (SPLAT)
    Replies: 2
    Last Post: 2012-05-21, 16:23
  3. Replies: 10
    Last Post: 2010-10-16, 20:19
  4. Replies: 1
    Last Post: 2006-11-06, 16:36
  5. Desktop Security/Policy Server logon failure issues issues
    By Clon32 in forum SecureClient/SecuRemote
    Replies: 3
    Last Post: 2006-10-25, 06:32

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •