Problems Configuring New Firewall 1

[chunky28]

Hello

We have recently purchased Check Points (NG) VPN-1/FireWall-1 and I am responsible for installing and configuring it.

I have followed the setup instarctions but I am still unable to get it working. There is one thing I am not sure of......where does the Router fit in.

This is my setup...:

I have a small LAN (approx 15 boxes) which up until now has been connected to the internet using an ISDN Router (Netgear RT338).

This has been working fine.

I now have a new box (XP Professional) with 2 interface cards (Both D-Link DFE-530TX). I have installed the CheckPoint Software on this machine.

The network cable from the External Interface is plugged into the router which then plugs into the ISDN telephone point. The other Internal interface is connected to our switch, which all the other PC's in the network are connected to.

The Router, every PC and both interface cards in the Firewall machine have a fixed IP address and all are on the same subnet.

The problem is, the Firewalls external interface card (connected to the router) is shown to be unplugged when connected to the router.

Could someone please advise what I am doing wrong!!?

 

[Piloria]

not quite
what i am suggesting is a stop gap until you can move the fixed ip machines.

you mentioned you have 15 machine(aprox) of which 5 have to have fixed IP addresses (dropping to 3 later)

these boxes you have on the outside of the firewall
you then create a protected network 192.168.x.x where you put the other machines
using NAT these machines will be able to connect to the fixed machines on the outside of the firewall.

this way you at least can protect some of your machines until you can put the fixed machine on the internal network.

Router
(193.x.x.225)
|
|
Hub--------- (193.x.x.226,227,230,234,237)
|
|
(193.x.x.232)
Firewall
(192.168.1.1)
|
|
Hub -------- Other internal macines (192.168.2.1,2,3,4....)

after you get this network working you can then look at reinstalling the Oracal servers (probably after you have reduced to 3 external machines)

This is the only way i can see you moving forward.
The only other option is to get a integrated network router /firewall and replace the Netgear.


Quick thourght
what is the external ip address of you router? is it in a completely different network to the internal?

if it is then if you change the internal ip address of the router to a reserved range (192.168.x.x) with static route to the firewalls external ip address (also in the 192.168.x.x range)for the 193.x.x.224-239 range
then have the 193.x.x.224-239 range as the internal network on the firewall

this will allow you to have a seperate range for internal and external at the firewall

 

[chunky28]

Many thanks

I am going to look into this further and perhaps talk to Oracle about this.

I need to do a bit more swatting to find out how to create a new network etc. as I'm not sure how this fits in with Domain Controllers, DNS Servers etc etc. As I said, I am a novice.

There are actually only 4 PC's that need the fixed IP addresses. 3 of these need to keep their existing external IP addresses and 1 just needs to be fixed. Can NAT be set up with fixed private IP addresses? I always see NAT mentioned alongside DHCP, but if it needs to be fixed DHCP is no good is it!

Regarding my Router configuration these are the settings:

Ethernet TCP/IP Settings:
IP Address = 193.xxx.xxx.225
Subnet Mask = 255.255.255.240

DHCP Role = None

Remote Node TCP/IP Settings:

Remote IP Address = 0.0.0.0
Remote Subnet Mask = 0.0.0.0
My WAN Address = 0.0.0.0

Single User Account = Enabled
Default Server = 193.xxx.xxx.226 (this is my DC and DNS Server)


Thanks again

Charlie

 

[chunky28]

Many thanks

I am going to look into this further and perhaps talk to Oracle about this.

I need to do a bit more swatting to find out how to create a new network etc. as I'm not sure how this fits in with Domain Controllers, DNS Servers etc etc. As I said, I am a novice.

There are actually only 4 PC's that need the fixed IP addresses. 3 of these need to keep their existing external IP addresses and 1 just needs to be fixed. Can NAT be set up with fixed private IP addresses? I always see NAT mentioned alongside DHCP, but if it needs to be fixed DHCP is no good is it!

Regarding my Router configuration these are the settings:

Ethernet TCP/IP Settings:
IP Address = 193.xxx.xxx.225
Subnet Mask = 255.255.255.240

DHCP Role = None

Remote Node TCP/IP Settings:

Remote IP Address = 0.0.0.0
Remote Subnet Mask = 0.0.0.0
My WAN Address = 0.0.0.0

Single User Account = Enabled
Default Server = 193.xxx.xxx.226 (this is my DC and DNS Server)

I will certainly mark one of these posts as helpful!

Thanks again

Charlie

 

[Piloria]

your external machines will have there fixed IP's
any machine set up on the internal network can have NAT set up on it. This meens that on the internal network it will have an ip address
192.168.2.1 for example
when it is communicating with the outside world as the trafic passes through the firewall the firewall replaces the internal ip with a valid one - 193.x.x.228 so all the external machines will then send any responses to 193.x.x.228 and the firewall will translate this back to
192.168.2.1 this is waht is called Static NAT. this alows your machine to initaiate a contact with an outside machine and vise versa

Hide NAT is what you use when you have many machines wanting to connect to the outside world but you dont want the external machines to initaiate a communication with them (Web brousing is an example)

All internal machines (192.168.2.1,2,3,4) hide behind a single valid IP address say 193.x.x.231 and the firewall repaces their ip address with this one. the firewall keeps track of who it has sent data requests to so then knows which machine sent the request when it gets a return data packet this is then given the original ip address of the machine that sent the data (e.g. 192.168.2.2) this is called Hide NAT

as all internal machines hide behind one address an external machine cannot initiate a connection to an individual machine as the firewall will say it didnt send anything so isnt expecting anything (on fw1 you get a message packet out of state)

 

[chunky28]

Thanks for the sound advice again.

I will obviously find out soon enough when I start playing with the firewall configuration.......but will it be possible to set up rules to allow my external (oracle) machines to communicate with the internal ones?

Furthermore, as I said before, two of the oracle machines can have the internal IP addresses without the need for a reinstall, but should it be possible to configure one of these to have a fixed internal IP address and allow any HTTP requests to be routed to this. As this is where I have my website hosted.

I currently have the A record for my website domain routed by my ISP to the our Router 193.xxx.xxx.225. This then forwards HTTP requests to the IP address on this machine 193.xxx.xxx.230. So I need to be able to configure HTTP requests to go through the Firewall to this machine (with an internal fixed address).

So would I need to get HTTP requests routed to the firewall IP 193.xxx.xxx.232 and get the firewall to route this request to the correct machine on the internal network.

Is my understanding correct then?:…….
…….
The Oracle machines that require the external addresses will be unchanged and should stay on subnet 255.255.255.240, while the other machines should go on subnet 255.255.255.0 and the NAT is controlled by the firewall?

I hope these questions make sense.

Thanks again

Charlie

 

[Piloria]

yes to the rules question (make sure you have the rules log everyhing) then see what is blocked by the firewall and open up the required ports on the firewall for the oracal

for the web server you can give it any ip address you like (internal) then in the server object that you create (specificly fo the web server) you click on the NAT tab and set up Static nat using the .230 ip address

the router shouldnt need asny chages for this as the firewall will listen out on the.230 ip address for the internal server

as fot the subnets you can use what you like for the internal ip addresses (depends on what you chose for the network) but in the NAT rulwes keep the subnet as .240

 

[chunky28]

Thanks again.

I will try not to keep this thread open too long....but I am going to look at this again on Monday....so if you are avialable to ask any further questions (hopefully not too many....I understand the principles much better now!!) I would be very gratefull.

Cheers

Charlie

 

[Piloria]

no problems see you monday
(keeping the thread open isnt a problem as it gives someone a end to end exchange on the problems)

 

[chunky28]

still tyring to work all this out.

looking for details on the web as unfortunately there is no training or in-house experience.

I will be testing out my configuration after work as I can't mess with the network while colleagues are working.

Anyway here is what I was planning:

Internet
|
|
Router 193.xxx.xxx.225
Subnet 255.255.255.240
|
|
Hub/Switch - - - - 193.xxx.xxx.226
| 193.xxx.xxx.227
| 193.xxx.xxx.230
| 193.xxx.xxx.234
| 193.xxx.xxx.237
| (all Subnet 255.255.255.240)
|
193.xxx.xxx.232
Subnet 255.255.255.240

FireWall/VPN

192.168.1.1
Subnet 255.255.255.0
|
|
|
|
|
|
Hub/Switch - - - - 192.168.2.1
192.168.2.2
192.168.2.3
192.168.2.4
192.168.2.5
192.168.2.6
192.168.2.7
(all subnet 255.255.255.0)

I have tried to use the diagrams supplied previously in this thread.......Will this work?

There are a few things I am unsure of:

1. How do all these IP addresses and subnets interfere with naming methods? Oracle Collaboration Suite needs a FQD name so if I eventually install it onto my internal network, will there be any potential problems?

2. Unfortunately I WILL need 5 machines on the public network for now as the two I thought would be OK to assign internal addresses need to login to the domain.....and my networks domain controller is 193.xxx.xxx.226

3. I'm not sure how to reset the firewall configuration......as I still have the IP address 193.xxx.xxx.224 (the value entered when initially attempting to configure the firewall)
the internal interface IP is set to 192.168.1.1/255.255.255.0
and my external inteface IP is set to
193.xxx.xxx.232

but the topology map is still showing the IP address 193.xxx.xxx.224 one side of the firewall.

I have attempted to delete the firewall node and recreate it but it is the Primary Management Station.

I hope people can understand all this and see what my problem is!

Thanks once again

 

[Piloria]

1. FQDN's If you have an internal DNS server to get round this
2. If you are using Static NAT for these machines the Domain server will see them as correct IP addresses
3.
a) change the ip address in the OS
b) create network object for internal network
c)In the firewall object in the general page change the IP address (use external ip of .232)
d) on the topology page click Get topology and this will refresh the topology
e) in topology set .232 interface as external
f) set internal interface anti spoof to internal and specific to internal network object

 

[Piloria]

to change your CP licence to the firewall address
go to
usercenter.checkpoint.com
register an account and enter your software
then you can change your licence to any ip address (you can move it about as much as you like)

 

[chunky28]

OK done as you have suggested but this has not changed things.

I have created a Network Object with the following settings:

Network Address: 192.168.2.0 (Should this be the internal firewall interface IP)
Net Mask: 255.255.255.0
(Broadcast Address = Included)
Plus nothing configured in NAT

My Firewall Object has the following settings:

IP Address: 193.xxx.xxx.232
Topology:

IP Address Network Mask IP Addresses Behind Int.
193.xxx.xxx.232 255.255.255.240 External
192.168.1.1 255.255.255.0 Internal

The latter has Anti-Spoofing set and IP Addresses behind the interface are specific to my Network Object.


However the Topolgy diagram still shows:

192.168.1.0 - - - - Firewall - - - - - - 193.xxx.xxx.224

If I move the mouse over 193.xxx.xxx.224, it says Implied Network 193.xxx.xxx.224/255.255.255.240 Created by Toplogy View

If I look at the properties all fields are greyed out and nothing can be changed.

Could you clarify that my OS IP address settings are correct.

I have two interface cards as follows:

Internal Interface:
IP: 192.168.1.1
Subnet Mask: 255.255.255.0
Default Gateway: 193.xxx.xxx.225 (=router IP)

External Interface:
IP: 193.195.222.232
Subnet Mask: 255.255.255.240
Default Gateway: 193.xxx.xxx.225 (=router IP)

The internal IP is in a different subnet to the default gateway (router) so is this incorrect?

Thanks again

Charlie

 

[Piloria]

yes if you are using 192.168.1.1 for the firewall and 192.168.2.x for your machines change all subnets to 255.255.0.0 (for the internal network only)

you dont need a default gateway on the internal interface

as for the greying out this maybe a licencing issue
try changing the licence ip address via the cp website
it may then allow you to change topology setting then

 

[chunky28]

OK I'll look into that. But surely the IP address in question should be identical to the Firewalls external IP address which is 193.xxx.xxx.232?

Thanks again

 

[Piloria]

i was assuming that when you licenced the firewall you used the .224 address so i was assuming that that licence was still set to this.
with cpFW1 you have to get a different licence when you change the IP address (that is why you register via the CP website as you can change it online and download the new one)

 

[chunky28]

Sorry, no I registered the license with .232.

Could you tell me what the two objects are which checkpoint topology places on the diagram either side of the firewall. I thought they must represent the firewall interfaces, but the IP addresses of them are as follows:

1. 193.xxx.xxx.224, and
2. 192.168.0.0

These have been created automatically.....If I right click on each and select Actualize Network (not sure what this is), the settings are as follows:

1. Name: Net_192.168.0.0
Network Address: 192.168.0.0
Net Mask: 255.255.0.0

2. Name: Net_193.xxx.xxx.224
Network Address: 193.xxx.xxx.224
Net Mask: 255.255.255.240


Could you please explain the reasons behind your posting: 'yes if you are using 192.168.1.1 for the firewall and 192.168.2.x for your machines change all subnets to 255.255.0.0 (for the internal network only)'

Or do know where can I find out more about subnets? If I attempt to change the Network Address of Net_193.xxx.xxx.224, I get the following message:

Based on the Netmask you have defined, VPN-1 & Firewall-1 suggests the IP address 193.xxx.xxx.224. Do you want to accept the suggested IP address?

Thanks again!!

 

[Piloria]

ok the two objects are networks that the firewall has identified as requiring. this is based on the interface addresses. the reason you get 193.x.x.224 is that i the first ip address in the range 193.x.x.224 - 239 with mask 255.255.255.240 (same as 192.168.0.0 is the first in the range with mask 255.255.0.0)

Subnets masks block IP ranges and alow you to group them into block
so 192.168.1.0 255.255.255.0 allows all ip addresses from
192.168.1.0 to 192.168.1.255
and 192.168.2.0 255.255.255.0 allows all ip addresses from 192.168.2.0 to 192.168.2.255
if you want to have these two address ranges you would need to have a mask that had them in the same range
so 192.168.0.0 255.255.0.0 allows all ip addresses from 192.168.0.0 to 192.168.255.255 (alot of ip addressses)

when you use subnet masks diferent fro 0 and 255 it gets a little more complicated (see document below) but all they do is alow you to cut each of the blocks of 255 addresses into smaller groups (if you remember above i was trying to cut your network in 2 using .248 as the mask)


This is a good document for subnets

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v50/config/subnets.pdf

 

[chunky28]

Ok I have tried setting the firewall up with no success yet......I have just one machine on the internal network, but I can't access the web from this machine.

Can you see anything I've missed?

In the network properties I have the following:

IP address: 192.168.2.1
Subnet Mask: 255.255.0.o
Default Gateway: 192.168.1.1 (I assume this should be the internal interface on the firewall/gateway....it was previously set to the router IP)

DNS Servers are set to the ones supplied by my ISP.

I have the following rule on my firewall:

Source: odbc (=internal network object)
Destination: Any
VPN: Any traffic
Service: Any
Action: Accept
Track: -None
Install On: Gateways
Time: Any

For the webbrowser machine I have added a Host Node with the IP address 192.168.2.1.......if I hit get address it says cannot Resolve Name!

If I go to topology > Get > Interface, it finds the following:

NDIS 192.168.2.1 255.255.0.0


NAT is set to 'Add Automatic Address Translation rules'
Translation method: Hide (Hide behind Gateway)

So the topology digram has the following:

Network Object: ODBC
(192.168.2.0/255.255.255.0)
|
|
Implied: 192.168.0.0/255.255.0.0
| |
| |
Firewall* Webbrowser (Host Node)
(193.195.222.232) (192.168.2.1)
|
|
Implied:
193.xxx.xxx.224
/255.255.255.240
|
|
Internet

*Firewall Settings:
Topology:
External=193.xxx.xxx.232/255.255.255.240
- Anti Spoofing enabled
Internal=192.168.1.1/255.255.0.0
- Anti Spoofing enabled
- IP addresses behind this interface specific to ODBC (Network Object)

I hope this is clear.

Thanks for the link to the Subnet doc, should prove very usefull.

One other thing.....the network cards I am using were not featured under supported network interface cards on the CheckPoint website. I am using two D-Link DFE-530TX network cards on Windows XP. I assume there should be no problem with these.

Many thanks!

 

[Piloria]

network cards - i didnt even know they produced a list. so dont worry about them i have never had a problem.

internal interface default gateway - you dont need this at all (it may just end up confusing things) so remove it.

The most likly cause is you dont have IP forwarding enabled in XP - this allows trafic from one interface to be retransmitted out another see this doc on how to activate it.

http://support.microsoft.com/defaul...port/kb/articles/q315/2/36.asp&NoWebContent=1

With your rule in the firewall i would change tract to log
(o would do this with all rules) as it is a very good method of diagnostics (use smart view tracker it shows you what is going on through the firewall)

make sure you have these rules
source - Dest - service - action -track
any - firewall - any - drop - log called stealth rule (2nd rule)
any - any - any - drop - log (always Last rule called catch all rule)
the stealth rule will come after any rule you have set up for admin to the firewall - or it is the 1st rule

stealth rule stops all external access to the firewall (just in case any of your later rules open this up again)
catch all rule - the firewall drops all unruled trafic but doesnt log it the catch all rule puts it all in the logs

 

[chunky28]

Thanks again for the swift response.

Still not working though I'm afraid.

I have edited the registry as suggested and even rebooted the firewall but the webbrowser machine is still not able to connect to the internet.

When you say remove the internal interface default gateway. Are you referring to the Default Gateway in the Webbrowser IP settings (I thought it needed this?) or are you referring to the Default Gateway in the Firewall internal interface IP settings?

I have set the rules to use log, but there is no evidence that the webbrowser machine is even attempting to communicate with the firewall to access the web. Not that I can see anyway!

The rules you suggested I set, should these be INSTALLED ON the Gateway, or should this just be left as 'Policy Targets'?