CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 5 of 5

Thread: Second Public IP Range / Topology

  1. #1
    Join Date
    2017-07-21
    Location
    Duesseldorf, Germany
    Posts
    20
    Rep Power
    0

    Question Second Public IP Range / Topology

    Hello all,

    i hope that somebody can help me in my case. I took a look in my documentation but i not found the answer i need.

    I am running 2 CP 4800 in HA Cluster Mode. From our ISP we go a /28 range of ip addresses. This range is in the topolgy
    marked as external.

    We got now from RIPE an additional network that i also want connect to my cluster. Our ISP will do a managed routing for the
    new network we got so far so good. I want to place the new network to a physical interface but i am not sure if that interface
    should be internal or external. In my idea i would choose internal cause the only external i have at the moment is the ISP.
    The users that go out to the internet are natted behind the gateway. In future i would like to nat special ipīs behind the new public
    ip.

    So what topology i should use for the new network ?

    Thanks for you help in advance
    Marco

  2. #2
    Join Date
    2006-06-07
    Posts
    21
    Rep Power
    0

    Default Re: Second Public IP Range / Topology

    If your ISP is routing the new subnet to the Cluster Address of your existing Public IP Range then unless you are going to deploy Systems with an address in the new range ( and I mean actual boxes or Virtual Machines not simply using NAT into the /28 ) then there is no need to deploy an Interface with the new range.

    You simply NAT traffic to an address in the new range and it will leave the Firewall with the address in the new range as the Source. Reply traffic is simply routed back to the Cluster External IP whereby the traffic is looked and matched against the policy. No need to worry about the ARP as such.

    If you are deploying Systems into the new range then mark the Interface as Internal and then use the DMZ marker so presuming your Threat Prevention Policy inspects External and DMZ then would still be matched.

  3. #3
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    253
    Rep Power
    12

    Default Re: Second Public IP Range / Topology

    The important thing to remember is antispoofing is just the opposite of routing. Do you know what will be out this interface? If it is a short, defined list of things, you should probably define it as Internal. If it is an Internet connection or participating in dynamic routing such that the things "behind" it could change, I would use External.
    Zimmie

  4. #4
    Join Date
    2017-07-21
    Location
    Duesseldorf, Germany
    Posts
    20
    Rep Power
    0

    Default Re: Second Public IP Range / Topology

    Thanks for the answers, so i have to give some more details. I wanted to use a new physical interface on the firewall to connect a switch where i have
    my blade servers connected that will get direclty the new public ip addresses for these servers i not want to use nat.

    Additional i want to place a new proxy server in the EDMZ. This server should get a private address that will be natted to the one new public ip. I need this
    cause i have between Checkpoint and ISP an Webfilter Appliance that is working in transparent mode. All users are natted per default behind the checkpoint gateway
    and i will use a new address to reach the webfilter with an other ip address so that i can build a second rulebase for another ip.

    So the public ip range will participate in the internet traffic but not dynamicly routet. I just have an default route to my ISP Router and the ISP is Routing my public ip
    range.

    So i can use the new interface with topology internal ?

    BR
    Marco

  5. #5
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    253
    Rep Power
    12

    Default Re: Second Public IP Range / Topology

    Quote Originally Posted by marco_d View Post
    So i can use the new interface with topology internal ?
    Based on what you've said, I would say yes, I would set the interface up as Internal.

    Keep in mind that by doing it this way instead of with NAT, you lose at least three addresses (the lowest for "network", the highest for broadcast, and one for the firewall interface).
    Zimmie

Similar Threads

  1. Is it possible to exclude a public IP or range from the VPN domain
    By Morphus in forum Check Point UTM-1 Edge Appliances
    Replies: 0
    Last Post: 2012-06-19, 09:04
  2. Non contiguous IP range
    By matlem037 in forum NAT (Network Address Translation)
    Replies: 3
    Last Post: 2011-02-01, 16:59
  3. Date Range
    By manuadoor in forum Miscellaneous
    Replies: 0
    Last Post: 2010-06-22, 10:01
  4. range end with .121
    By suber in forum Miscellaneous
    Replies: 2
    Last Post: 2007-09-02, 07:33
  5. New Ip range
    By Producer in forum NAT (Network Address Translation)
    Replies: 3
    Last Post: 2007-08-28, 14:09

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •