Checkpoint doesn't allow WAN and LAN on the same subnet?

[leung]

Hi,

I am having a hard time to set up the Checkpoint firewall, and it looks to me that Checkpoint doesn't allow WAN and LAN interface on the same subnet.

The WAN IP is aaa.aa.aaa.1, while IPs of the web sites/the servers are between aaa.aa.aaa.4 to aaa.aa.aaa.127. We were using WatchGuard firewall, and I could configure it easily. However, I have trouble to fill in the default gateway, WAN IP, LAN IP in the admin section of Checkpoint.

Please advise,

Thanks
Ricky

 

[watchguardmonkey]

Don't quite understand what your trying to do, the WAN IP is usually connected to the external gateway router/ISP connection, web servers usually sit on the DMZ, these are 2 seperate interfaces, what hardware are you using?

 

[leung]

You're right that the WAN IP is connected to the external gateway. What happens is that our ISP does all the routing. They give us an external IP which is aaa.aa.aaa.1, and the IP from aaa.aa.aaa.4 to aaa.aa.aaa.127 are use for our servers/web sites. Therefore, our default gateway is aaa.aa.aaa.1, but on the Checkpoint UTM Edge firwall, you have to designate the IP for the WAN port and the LAN port and also the default gateway. I have problem to make it working as it looks like WAN and LAN IPs cannot be on the same subnet.

The watchguard router has the dropoff mode to allow me to do that but Checkpoint is harder to configure.

By the way, looks like you are a watchguard guy. For some reasons, our existing watchguard firewall hangs sometimes (it doesn't respond so we cannot connect to the interface), and we have to do a power recycle to get it back up. Do you have any idea what would cause this problem? thanks

 

[watchguardmonkey]

so what your saying is the aaa.aaa.aaa.1 is a /24? they usually make it a /30

so for talking sake you have 193.113.129.1 /24 and then 193.113.129.4 /24.

if so I would do something like this 193.113.129.1 /30,

193.113.129.0 /24. anything below 4 would not be on the lan.

but you normally have a RFC1918 network as your LAN and this is NAT'd to your WAN IP. web servers usually are on the DMZ, if this is the case cut the network that the ISP gave you up into smaller subnets, the default gateway from these smaller subnets would be the .1 but for the FW it's self this would be the ISP router's IP.

what is the watchguard your using, firebox 700? sounds as if there is too much traffic going through the FW or packets that are too large, check the traffic log

 

[leung]

but can the default gateway same as the IP of the WAN interface? The drop-in mode of Firewall allows that but CheckPoint doesn't have such mode.

We do not have Nat'ing setup. We just set the rules for different protocols.

Our existing firewall is WatchGuard Firebox II (WG1200). If what you said is right, then, what should I do?

 

[watchguardmonkey]

what CP hardware are you using?

for the watchguard are you running the latest sofware version? if not upgrade to the latest version. if running the latest version, look at the traffic log when the outage happens and see what traffic is being passed, usually if someone is doing a large email shot to many receipiants this can cause a block in the FW.

 

[leung]

The CP hardware that I'm trying to set up is Check Point VPN-1 UTM Edge.

We do no longer have the support subscription, so we cannot upgrade, and we're running Firebox System Manager 7.0.

If the email shot is a case, how would I prevent that?

 

[BuckWeet]

I believe you're looking for transparent firewall capabilities.. I do not believe checkpoint supports this.. the best alternative I could think would be to do static translations for exteran public IP to a private rfc1918 space internally.. this would required re-ip'ing your servers..


BuckWeet

 

[watchguardmonkey]

Hi as BuckWeet say's you can't do drop in mode with the CP, so if you have a UTM Edge device you should have a WAN port a DMZ port and at least 4 LAN ports.

this device also does static & Hide NAT as before I would divide subnet that the ISP has given you into usable subnets, ie WAN on aaa.aaa.aaa.1 /30.

DMZ on aaa.aaa.aaa.8 /27,

LAN use RFC1918 address space the LAN interface address would be something like 10.100.100.1 /24 and Hide behind the .1 address for access to he outside world.

when issuing IP's to the devices on each segment the default gateway would be the interface IP for that segment, ie 10.100.100.200 would have a DG of 10.100.100.1, devices on the DMZ would be the .8 address.

the default gateway for the FW would be the next hop of the WAN port, you might need to clarify with your ISP what the router address is that you connect to, this should be in the same subnet as the WAN port.

this device is like many other small FW's it comes with a default setting the LAN IP is 192.168.10.1 so it must do NAT.

Log onto the checkpoint site and look up sk30497.

your WG SMTP issue can be helped by setting limits on the SMTP proxy on the WG admin settings.

 

[watchguardmonkey]

one final thought, your ISP might want you to use a totally different IP for the WAN port other than a IP in the aaa.aaa.aaa.X range, in this case you could use this subnet for the LAN or the DMZ, but I think your issue is setting up static NAT to the web servers, in this case you would need to assign static nat for them and you may need more exteranl addresses from your ISP to create the static NAT to the aaa.aaa.aaa. range, don't know if the edge device can do a NAT-Pool setup.

 

[leung]

thanks both... I'll check with the ISP if they can do anything for us. Thanks