Configuration Problem with Checkpoint NGX on a Nokia IP260

[RegTellis]

I am in the process of trying to configure a Nokia IP260 with Checkpoint NGX and find that I am unable to access the internet when the device is in place. Currently, I only have two interfaces set up. The external, which is the gateway, configured with the public I.P. of the firewall with the topology set as external (leading out to the internet and a second interface configured with the internal LAN I.P. which is set internal-network defined by the interface I.P. and Net mask. I am reasonably sure my Nodes/Networks are correctly configured as I have worked with CP NG before and as a test I have the rule-base configured wide open so as to allow anything and everything, but yet I still cannot get out to the internet at all? I am not sure where the issue is at. I am beginning to think it might not be in my checkpoint config at all, but somewhere in the config of the Nokia itself, i.e. Network Voyager application. Is there something I am missing? Does anyone have any experience with the Nokia IP260 and CP NGX? Any help, suggestions, solutions would be greatly appreciated.

 

[m4ilm4n]

We're just now setting up our IP390... but have you checked your routing and default gateway? Maybe the inside doesn't know to route to the outside....

 

[RegTellis]

By that, I assume you mean the static route(s) set up on the Nokia itself by using Network Voyager? I did consider that possibility, but I am having a hard time finding some decent documentation on properly configuring static routes with this voyager interface. I am more familiar with doing it form a command prompt. Are you guys going to use Voyager or did you purchase Horizon Manager with yours?

 

[stooo]

setting static routes in voyager is pretty simple.. I'm assuming you are running IPSO 4?

Log in using your browser, select configuration, Routing, Static Routes. It should say Default route on this page. You will need to select the dropdown saying Gateway type, and change this to address. then click apply and you will be able to input your default gateway

From the command line, it would be usefull to try and ping the default gateway, and other external ip's to make sure your routing/ip/subnet are all correct.

Stu

 

[RegTellis]

Thanks Stu. I had actually found some documentation early this morning and was going through that. I did take a look at that based on your instructions. From what I gather from looking at the static route in Voyager, it was already there. The gateway that is already in the field by default is the router I.P. address itself which I would think is what it should be since that is ultimately where I want my traffic to go if it doesn't exist on my network. I shouldn't need any additional static routes for a network with only one subnet.

 

[stooo]

sounds like you have it right. Can you ping the default gateway from your firewall? Can you ping other external ip's from your firewall?

If you can, the the problem will mnore than likely be in your rulebase. Are you using NAT?

Stu

 

[RegTellis]

Yes, I can ping the GW with no problem and I am using NAT. I am using a 192.168.212.x internal network with an internal GW of .2, which is my first hop on a tracert. The next hop SHOULD be the external interface/internet and I think the only thing I should be seeing after the 192.168.212.2 hop is the first hop AFTER the router and then so forth and so on until it gets to its destination.

My trial rule is set up as follows: Source: *any going to *any destination using *any service action- accept and Log.

The strange thing about it is when I look at my logs, I don't see the traffic or even attempts I should be seeing going out, but I DO see traffic attempting and being allowed in.

 

[stooo]

So the firewalls ip is 192.168.212.2? it sounds like the machines behind the firewall dont have this as the default gateway.
Can you ping the firewall fro mthe machines behind it?

 

[RegTellis]

Yes. I have three of the four nics congured. eth1c0 is configured with the external i.p. address that the FW is going to go out on, eth2c0 is configured with my internal GW address and designated as "This Network", the last one, eth3c0 which I am not using yet, will be my DMZ, with a 192.168.211.1 GW also designated as "This Network". I can indeed ping the FW from the I.P addresses behind it, so I must be getting there, I would think.

 

[RegTellis]

Stu, Just to let you know, there was something wrong in the initial install I did. I wiped the box and re-loaded everything from scratch and now my routes are taking and I can traffic out to the internet. Thanks for all your help!

 

[m4ilm4n]

Reg: Glad you got that sorted out. Are you running the IP260 as flash-based or with a disk? I'm getting confused in our setup as to where SmartCenter is going to be....

 

[RegTellis]

My IP260 is the disk based version. It has a 40 GB internal Fujitsu drive as well as a 31MB internal Flash. My IOS and policies are actually installed on the hard disk, but I have an external 1 GB Nokia Flash Storage PC Card that I got separately to export my policies to periodically in the event it ever decides to go belly up. I assume you have already telnet into the Nokia via the serial port and have begun your installation via an FTP source? I actually found it easier to assign an I.P. address to the box which would allow me to access Network Voyager so I could see exactly what I had before I began the install or have you done that already?

 

[m4ilm4n]

Actually the packages were pre-installed so all we had to do was connect via serial to assign an IP then activate the package via Voyager. Ours is a flash-based IP390, so we're trying to understand how and where to set up SmartCenter to control licensing - specifically, if SmartCenter is running on a server with an internal (private) IP, does that present any licensing issues since CheckPoint usually wants a reachable address when activating a license.

 

[RegTellis]

You can "set up" smartcenter where ever you want. Depending on the package you are running, i.e. NG, NGX Enterprise or Express, you can have multiple workstations that can interact with your box. Of course, only one admin has read/write access at a time. You just need to download the correct smartcenter package for your system and install it. I have it installed on my primary desktop system as well as my laptop so that if need be, I can access the smartcenter gui through secure client. The most important thing is to plug in your i.p. addresses (or however you want to do it, you have different options) that you want to allow access to the box from when you run your initial cpconfig. If you are going to use I.P. addresses to restrict who can access the smartcenter, you want to reserve those I.P.s by mac address so your selected machines always get the same I.P. (unless you are using static, in which case, it doesn't matter)Inside the smartcenter console once you install it and have connected to the Nokia, you can start the SmartUpdate console amd get to the smartupdate in the window dropdown. The license is physically installed on the Nokia, not the management console, so the Nokia WILL have to have the correct I.P. address of the firewall or else it will not attach. I just saved my checkpoint license to a file and put my laptop anf the nokia on a separate hub completely off the network, so I could give it any I.P. I wanted, gave it the I.P. address of the production firewall and attached the license.