Problems Configuring New Firewall 1

[chunky28]

Hello

We have recently purchased Check Points (NG) VPN-1/FireWall-1 and I am responsible for installing and configuring it.

I have followed the setup instarctions but I am still unable to get it working. There is one thing I am not sure of......where does the Router fit in.

This is my setup...:

I have a small LAN (approx 15 boxes) which up until now has been connected to the internet using an ISDN Router (Netgear RT338).

This has been working fine.

I now have a new box (XP Professional) with 2 interface cards (Both D-Link DFE-530TX). I have installed the CheckPoint Software on this machine.

The network cable from the External Interface is plugged into the router which then plugs into the ISDN telephone point. The other Internal interface is connected to our switch, which all the other PC's in the network are connected to.

The Router, every PC and both interface cards in the Firewall machine have a fixed IP address and all are on the same subnet.

The problem is, the Firewalls external interface card (connected to the router) is shown to be unplugged when connected to the router.

Could someone please advise what I am doing wrong!!?

 

[chunky28]

Furthermore, what should the Network IP address be in the Firewall Configuration.

I have the following IP address range:
193.xxx.xxx.224-193.xxx.xxx.239

224 and 239 are held by my ISP (Demon)

My router IP address is 193.xxx.xxx.225
My Firewall IP addresses are 193.xxx.xxx.232 (External) and 193.xxx.xxx.233 (Internal)

When I followed the Check Point configuration steps it said I had to create a network and assign an IP address to it. It automatically assigned it 193.xxx.xxx.224 (the first IP address in my range). But this is held by my ISP as they hold an IP address at either end of our range.

Thank you in advance for any help with this.

Charlie

 

[Piloria]

basic question
is the connection from the PC to the router a direct connection or via a hub
if you have a direct connection and the pc is showing no connection it may be that you are using a straight through cable and not a cross over cable.

 

[Piloria]

as for your ip addresses
you have been given a range by your ISP
193.xxx.xxx.224 - 239
presume with a subnet of 255.255.255.240
.224 and 239 are broadcast addresses and cant be used.
If your router is .225 and your external firewall is .232 that is fine but i would STRONGLY reccomend you use a reserved internal IP address range
192.168.x.x
or 10.x.x.x
then using NAT (network address translation) any machines needing a valid ip address (mail server or PC's for nrousing)
i would never have internal machines using valid ip addresses
so your internal interface should be
192.168.1.1 mask 255.255.0.0 (a bit large for 16 machines but you will thanks me in years to come)

when you create a network object for your internal network give it the address
192.168.0.0 mask 255.255.0.0
then in the NAT settings use 193.x.x.231 (use hide)
this will allow all internal machines to brouse via the one ip address - this is alot safer and alot more economical on ip addresses

if you have a mail server that requires a fixed IP address
create a normal node
give it its internal ip address (192.168.1.5)
and give it a NAT (Static) of 193.x.x.230

all you internal machines can then use the network segmet (PC's 192.168.2.1 ,2,3,4,5)

 

[chunky28]

Hi, thanks for the advice.

I have tried the connection with a switch and it still doesn't work. But yes you are right I was connecting the external firewall interface with the router directly. So I guess I need a cross over cable. Would you suggest using a crossover cable or a switch/hub in between?

Regarding the IP addresses. Unfortunately I experienced many problems setting up the network in the first place when I attempted to use a reserved internal IP range. I am new to all this, I am having to install our entire network and configure everything using books, the web and various support forums.....

Unfortunatley, I currently have Oracle software (Oracle Collaboartion Suite, Designer, Developer etc.) installed on the PC's which require fixed IP addresses and these cannot be changed now, without re-installing and configuring them again (Not an option)

I understand it is better to have a reserved internal IP address range but I must keep the exisitng IP addresses. Can I set Check Point up using this fixed IP address range?

Thanks again for your help.

Best Regards

Charlie

 

[Piloria]

Your main problem is you only have 14 IP addresses therefor you can only have 14 machines in your network (including 2 for the firewall and one for the router - 11 machines)
you can then never grow outside this without vast complications.

I cant stress this strongly enough. using valid ip addresses is a VERY dangerous option. it opens up all kinds of holes.
Also as a small peice of advice try and find a way round this - we started off on a small network a while ago(8 years) valid ip addresses what would have taken a few days to fix back then in the end took us 3 months to correct later on. as the network grew.


You havent stated what the IP addresses you have used for the PC's.

for the router connection - the choice is yours. ocationaly it is useful to add machines outside your firewall to do some testing (never leave them there) in which case a hub/switch is best but for simple networks a cross over is best.

As for your IP problem there are fudges that can be used to get round this problem but i can guarentee they will come back and bite you in the next few months/years

If you insist on taking this route i can help just let me know what addresses you have used for the pc's and any masks used.
one possibility is to create a 3rd segment on the firewall using a private range 192.168.x.x) then move the machines over one at a time using the firewal as a gateway between networks

 

[chunky28]

Hi

Unfortunatley, yes I will have to stick with the public IP addresses. I've just been looking through my notes to find out why I had to use these...But I can't find the relevant notes....still looking though!

BUT there was a very good reason for this!

Do you know of any reason why this might be the case?

Anyway, we are only a small software development company and shouldn't need any more PC's on this network in the near future. Shoud we need to expand, the Oracle Collaboration Suite machines will just have to be reconfigured!

I don't mean to ask a simple/stupid question, but Why is it very dangerous?

Is it safe to include the exact IP addresses on a forum thread?

Thanks again

Charlie

 

[Piloria]

i would always miss out as much of the ip detail as you can (or lie just make sure the logic is there)
i.e. if your ip address is
193.122.111.1
use
195.100.123.1 the actual ip address isnt important just its structure

i just need to get an idea of where your PC's address fit into the ip range for the firewall and the router then i can recoment how to address the router/firewall(External) and segrigate them from the pc's and the internal interface

as you need to be able to create a network for internal machines that is seperate from thwe ip addresses required for the firewall(External) and the router this may be possible using subnets
then again it may not andf we will ahve to look at an alternate method

Notes for later :-

If the machine have a requirement to connect to the internet the firewall can deliver this change (through NAT) but as i said we can come back to this later using a 3rd interface (create 2 internal networks)
193.xxx.xxx.0
and 192.168.x.0

then have routing between the 2 netwiorks so they can see each other with
Any any any accept rules (between the internal networks only)

then when you move one machine to the new network all your other machines will continue to work (this way you can do it one at a time)

 

[chunky28]

Not quite sure what you mean by the following:
'one possibility is to create a 3rd segment on the firewall using a private range 192.168.x.x) then move the machines over one at a time using the firewal as a gateway between networks'

I don't know if know about Oracle Collaboration Suite. But it is Oracle's complete communications solution (email, calendar, voicemail, files etc) and it requires the IP addresses during installation. These cannot be changed after installation.

This is installed across three boxes on our network. So I do not think it will be possible to change these.

Thanks again

Charlie

 

[chunky28]

Router IP address: 195.100.123.1
PC 1: 195.100.123.2 (domain controller including DNS Server)
PC 2: 195.100.123.3
PC 3: 195.100.123.4
PC 4: 195.100.123.5
PC 5: 195.100.123.6 (Website hosted on this box)
PC 6: 195.100.123.7
(Firewall External) PC 7: 195.100.123.8
(Firewall Internal) PC 7: 195.100.123.9
PC 8: 195.100.123.10
PC 9: 195.100.123.11
PC 10: 195.100.123.12
PC 11: 195.100.123.13 (Mailserver)
PC 12: 195.100.123.14
PC 13: 195.100.123.15

Is this what you mean?

Thanks again, it is most appreciated!!!

Charlie

 

[Piloria]

sorry i have been jumping about abit - trying to answer your current problem and also finding ways out of it.

I have never used Oracle so cant comment on its install but i wouls assume that it needs 3 fixed IP addresses If one of these machines will require to connect to the internet for mail so prior to your firewall you required it to have a valid public ip address.

If this is the case this is going to be very hard work.

I need to know the IP addresses (not exact but if they are in the range 193.x.x.224 - 239 thir last number)

from this i can find out if we can create a small subnet using these addresses that we can seperate from the external IP addresses.

the problem you are going to have is running out of ip addresses you have 14 boxes in your lan but only 11 free IP addresses after allocating router and firewall addresses.


as for adding interfaces to your firewall this is adding a 3rd network card

having an external area (router and firewall external)

having a reserved area (Internal) for fixed ip machines (orical)

having a private area (Internal) all machines that dont require fixed ip


then routing between the 2 internal networks can be established using the firewall as a gateway (with appropriate rules)

this will allow machines that can move there ip and for new machines in an open and much larger network)

and at a later date if you ever have to do a reinstall or update somewhere to put the machines that are currently using public addresses.


so if you can give me the ip addresses of the fixed machines i can then see if we can subnet them off


internet(193.x.x.225)
|
|
(193.x.x.226)
Firewall-------- Fixed Ip machines( 193.x.x.233,234,235)
(192.168.1.1)
|
|
Non fixed machines (192.168.2.1,2,3,4,5,6)

this would be an example of the setup
with the non fixed machines having default route to the firewall but knowing that for Oracal servers to go to 193.x.x.232-239 network (using subnet mask to isolate 2 subnets from your 16 ip addresses)

But this depends on the ip addresses of the fixed servers as we can create 2 subnets
193.x.x.224-231 255.255.255.248 (allows 225-230 valid)
193.x.x.232-239 255.255.255.248 (allows 233-238 valid)

one used for external and one used internalty (much as i dont like it)

 

[chunky28]

193.xxx.xxx.225 Router

193.xxx.xxx.226
Domain Controller + Collaboaration Suite Storage
- Must be fixed

193.xxx.xxx.227
Oracle9iAS DB
Must be fixed

193.xxx.xxx.230
Oracle9iAS (Portal website hosted here)
Must be fixed

193.xxx.xxx.234
Collaboration Suite Infrasturcture
Must be fixed

193.xxx.xxx.237
Collaboration Suite Middle Tier (Mail server etc)
Must be fixed

In the near future (next few months I will no longer need 227 and 230 as the Portal website will be configured on 234 and 237

The Firewall machine interfaces are using 193.xxx.xxx.232 and 193.xxx.xxx.233. There is also an additional on-board LAN interface (i.e. a spare Network interface) on the firewall machine.

Let me know if you require more info.

Thanks

Charlie

 

[Piloria]

ok that blows my idea out the water (your fixed ip's go accross the 2 subnets)

the interface problem can be addressed via 2 ip addrssos on one card, supported in XP

Your problem is seperating your external lan from your internal lan.
as they both require the same ip address range.

this is messy.

let me think about it for a while (i am off home now and wont be back until tomorrow)

i am assuming you have no firewall between your current machines and the internet at the moment.

i cant see a way round this except to reinstall the oracal machines.

 

[chunky28]

OK thanks....

I currently have Norton Personal Firewall Installed on each box.....hence why we purchased a decent firewall/VPN solution.

Will CheckPoint products not work with fixed public IP addresses then?

I certainly don't think it will be possible to re-install the Oracle machines. We'll have to look for an alternative solution for the short-term.

Thanks again for all your help!!!!

Charlie

 

[Piloria]

its not that the firewall wont work with public addresses it works fine.
the problem is the firewall needs to sit betwwen 2 networks to work. as it controls trafic going from one to the other.

The firewall is primerily a gateway/router between two networks with rules detailing what trafic can pass between the two. as you dont have 2 networks it becomes very difficult to do this. this was why i was trying to find a way of splitting the network addresses into 2 subnets then we could have had one on each side of the firewall.

 

[chunky28]

So it wont work if I only have a range of public IP addresses......so I need to break the network into 2?

Why would it not mention this in the documentation, or is it a well known requirement with networks and firewalls?

Any further ideas will be most appreciated.

Thanks

Charlie

 

[Piloria]

as i said a firewall is a router/gateway and they only sit between networks.

i assume you are uk based as you are on at the same times as me.

 

[chunky28]

yes I am UK based.

looks like I'm going to have big problems setting this up then!

Thanks

 

[Piloria]

what i would suggest is setting the firewall up anyway.
with a hub/switch with the router,firewall and the fixed IP machines connected.

then create your secure network on the inside of the firewall with your PC's.

this will allow you to get all your machines connected and still have some IP addresses free. (you will only need 1 or 2 ip addresses for the firewall and all internal machines depending on NAT configuration)

once you are happy with this then at a later date you can then move your fixed ip machine to the internal network. (when it is convieient to you)

this gives you the chance to learn a little about FW-1 and its configuration without killing your servers.

 

[chunky28]

OK thanks.

But I'm sorry I don't understand exactly. Are you suggesting I just connect the router, pc's and firewall to the switch, so traffic does not exit the network or enter the network via the firewall.

If this is the case the firewall wont be effective will it?

Can you suggest any websites or literature that is helpful in this area.

Best Regards

Charlie