Got CheckPoint Firewall S-Box 225 - problems configuring. 1

[chunky28]

We've been evaluating a CheckPoint NG software firewall for quite a while now and I managed to configure it successfully using support/advice from this forum so I hope someone might be able to help me.

Having evaluated it we have decided to purchase a CheckPoint Safe@Office 110 appliance (hardware firewall). I thought I might be able to use the same settings used in my current setup but I've run into problems.

CheckPoint have supplied us with an eval unit (Safe@Office 225 - I guess it's the same as the 110 we'll be purchasing).

The reseller should be able to help but I need to configure it ASAP.

My network is currently setup as follows:

ODBC (Network Object)
192.168.2.0/255.255.0.0
|
Internal: |
192.168.1.1 _ _ _ _ |
/255.255.0.0 | |
FIREWALL - - - - - - (Network Object)*
External: 192.168.0.0/255.255.0.0
193.xxx.xxx.232 |
/255.255.255.240 |
| Hosts
| 192.168.2.1-16/255.255.0.0
193.xxx.xxx.224
/255.255.255.240
|
|
Internet

This connects to my ISP via a router with the following settings:
(ISDN Connection) 193.195.222.225/255.255.255.240

I hope this makes sense.

This is what I've been trying with the hardware appliance:

Internet Tab:
---------------------------------------------------------
- Primary Connection (equivalent to External Firewall IP in above config?):
Connection Type: LAN
IP Address: 193.xxx.xxx.225
Subnet: 255.255.255.240
Gateway: 193.xxx.xxx.224
DNS Servers: As supplied by my ISP

- Secondary Connection (equivalent to Internal Firewall IP in above config?):
Connection Type: LAN
IP Address: 192.168.1.1
Subnet: 255.255.0.0
Gateway: 192.168.0.0 (Not sure waht this should be!)
DNS Servers: 192.168.2.9 and secondary supplied by ISP

My Network Tab (thought this would be equivalent to Network Object Above * i.e. 192.168.0.0/255.255.0.0)
------------------------------------------------------
DHCP Server: Disabled
Hide NAT: Enabled
LAN IP: 192.168.0.0
LAN Subnet Mask: It won't let me set this to 255.255.0.0 as above. What should this be?

What am I doing wrong?

I know there's alot of info here but I wanted to supply as much detail as possible.

Hopefully the reseller will be able to answer some questions tomorrow but for now Any help would be most appreciated!


Thanks

Charlie

 

[chunky28]

Forgot to mention.

I need to keep my internal subnet as 255.255.0.0 and keep the same IP addresses. Otherwise I would need to reinstall several machines which is not really an option. They have Oracle Collaboration Suite installed on them and their IP addresses cannot be changed.

Cheers

Charlie

 

[Piloria]

ok i will try and help but know nothing about checkpoint safe@office

if your secondary connection is for the internal lan and you only have one subnet then you dont need to set a gateway for it.

with the network tab you have NAT enabled where in this tab is the IP address you hide behind?

 

[chunky28]

Thanks. You may remember you helped me to get the previous firewall working. The url to this thread to give you more understanding of my requirements is:

thread32-662722 Default Gateway for the secondary 'Internet Setup' connection is a mandatory field.

Regarding the NAT - perhaps it would be a good idea to disable this for now.

Other tabs under the network settings are:

High Availability (if I had two sbox appliances - i.e. backup), Static NAT and Static Routes.

Thanks

Charlie

 

[chunky28]

You will see from the link to my previous thread that you suggested the following:

'yes if you are using 192.168.1.1 for the firewall and 192.168.2.x for your machines change all subnets to 255.255.0.0 (for the internal network only)'

you dont need a default gateway on the internal interface'

I am of course assuming that the 'My Network' tab IP details are the equivalent to this. But as I said the subnet 255.255.0.0 is not availbale in the drop down list. It is an option for the Internet Primary and Secondary Connection Subnet though.

Thanks again

Charlie

 

[Piloria]

what is the actual problem?
(appart from its not working)

from the data sheets i have found the 110 is a 10 user box and the 225 is a 25 user box. it is also slower bur in your set up more than fast enough.

i have found the getting started manual
when going through the initial config (internet connection) do you get a connection o the internet?

or what stage are you at?

 

[chunky28]

No I don't get a connection.

Both the Primary and Secondary Connection status displays 'Establishing Connection'

I initially followed the guide i.e. left the default settings on the SBox, configured my pc to connect to the SBox.

I then ran the setup wizard which strangely said no other configuration was required.

If I connect direct to the internet (ISDN) or go via a router, surely I need to add additional details.

Anyway I go through the setup wizard select LAN connection (connect directly to a lan or to a router) and it attempts to connect but I get a Connection timed out message.

Following this I went into the advanced setup and attempted to configure it using my exisitng setup values. So the Sbox was set to 193.xxx.xxx.231 (external) with the router as the gateway. This is obviouly already configured to access the web via my ISP.

Hope this makes things clearer.

Thanks again

Charlie

 

[Piloria]

If you connect directly (i.e. put a pc directly into the router) and can connect then you know this part is working.

In advanced settings
set as LAN
Hostname - what ever you wnat
MAC cloneing - ignore it
uncheck - obtain ipaddress (DHCP)
set ip as -
IP Address: 193.xxx.xxx.225
Subnet: 255.255.255.240
Gateway: 193.xxx.xxx.224
DNS - as supplied by your ISP
Apply

 

[Piloria]

sorry change ip address to 193.xxx.xxx.232

 

[chunky28]

sorry, i'm not really sure what you mean by connect directly.

I currently have the sbox connected to the router.

You are saying connect the pc to the router? so where does the sbox fit into this.

Sorry if it sounds a stupid question but I'm not sure what you mean.

I am only connecting my PC to the router in order to configure it.

I've tried changing the settings as suggested and attempted connection via the router and straight into the ISDN connection. But it still doesn't connect.

Best Regards

Charlie

 

[Piloria]

sorry iwas saying if you connect a pc to the router directly (ignore the firewall at this point)
this is just to test your router and isdn settings are working

from the router can you ping systems on the internet? i.e.

http://www.yahoo.com

does the router have its internal interfaces default gateway set as the firewall ip (193.xxx.xxx.232)

 

[chunky28]

My current setup with the software (checkpoint) firewall is working fine through the firewall. So I know the router and ISDN connection is configured correctly.

I assume therefore you mean I should change the IP settings on my PC to 193.xxx.xxx.232/255.255.255.240 with a gateway of 193.xxx.xxx.225 (I assume you mean .225 and not /224 as .255 is the IP of my router).

With these settings, yes it connects top the web ok.

Not sure about pinging from the router. It only allows me to put IP addresses.in. But I guess the above has proved my connection is fine.

Thanks once again

Charlie

 

[Piloria]

ok just eliminating the network as the problem

if you already have the existing firewall up and running what is its external ip address?
if you are setting up the new firewall and disconecting the old one then testing it you will find problems with ARP

if you are doing this then the best thing to do is disconnect your old firewall connect the new and reboot the router (clears its ARP table) then do your testing and see if it works.

i am not sure if you are trying to run your two firewalls in parallel in which case you will need change the internal gateway on the router to point at the new firewalls ip or if the two firewalls have the same ip in which case follow the instructions above.

 

[chunky28]

the exisiting firewalls IP address is: 193.xxx.xxx.232/255.255.255.240 with the router IP as the gateway i.e. 193.xxx.xxx.225

Right thanks I will reboot the router.

I am not trying to tun them in parallel. The SBox is going to replace the Software firewall.

I'm not sure about the internal gateway settings on the router. Will look into it now.

Thanks

Charlie

 

[Piloria]

if you are replacing the firewall and not running in parallel then you dont need to worry abount the router settings they will be right.
it will be set to .232 (old and new firewall address)

if you are disconnecting the old and putting in the new then the router will have the old firewalls MAC address in its ARP table so it will be assosiating .232 with the old MAC address and still trying to communicate with it. by rebooting the router it will clear the ARP table and refresh it with the new firewalls address

on a pc type "arp -a" and it will show you its current ARP table to get an idea

 

[chunky28]

that's great thanks!

Unfortunately I am not at the office now until wednesday. I would be extremely gratefull if you would look back at the thread then to check my progress. Many thanks!!

Charlie

 

[chunky28]

I've made progress now.

I can access the internet through the firewall but I am now attempting to setup my internal network with a subnet of 255.255.0.0

I can now select this subnet. The solution was to update the firmware.

I also rebooted the router as advised.

I am now attempting to enter the following internal IP details for the firewall:
IP: 192.168.1.1
Subnet: 255.255.0.0

But there are also fields for DMZ Network Settings.

If I enter the above IP details for the Lan network settings, I get the following message:

The LAN IP and the DMZ IP cannot overlap

I realise this is probably basic subnet stuff, but what can I set DMZ to to avoid this problem?

I'm not interested in configuring a DMZ at this point but it is mandatory. i.e. could someone tell me what to enter just to avoid this error.

Many thanks

Charlie

 

[Piloria]

you can use 10.x.x.x numbers for the DMZ - the DMZ is a seperate network that will be accessed via a seperate port on the box.

if you want to use 192.168.x.x for both then a useful site for working out subnets is

http://www.transtronics.com/reference/ip-subnetmasks.htm

but i would have your lan using
192.168.x.x 255.255.0.0
and the DMZ using 10.150.x.x 255.255.0.0 (or 10.x.x.x 255.0.0.0) 150 chosen for no perticular reason

 

[chunky28]

great - the firewall seems to be working as required now.

Usefull link too!!!

Many thanks!!!!