[prev in list] [next in list] [prev in thread] [next in thread]
List: firewall-1
Subject: Re: [FW-1] non-continuous Public Address ranges in SPLAT...Cluster XL
From: Stephen Bourike <steve () SURFSHAK ! CO ! UK>
Date: 2008-06-30 21:25:20
Message-ID: C48F0DD0.3EAE%steve () surfshak ! co ! uk
[Download RAW message or body]
Hi Sal
Assuming you are retaining your original range, which is what my original
response assumed, you need to go back to the ISP and ask them to change the
router configuration.
You DON'T want a secondary interface on the router (either as a
sub-interface or using a separate physical interface on the router). You
need them to simply route the whole of the new block of addresses from your
router on to the external VRRP address of the cluster.
So, lets try to help with an example:
Assuming your original allocation was 81.10.1.32/28 (ie you have addresses
81.10.1.33 - 81.10.1.46 available for use). You have allocated them as
follows:
81.10.1.33 - ISP Router
81.10.1.34 - some NAT'd server
81.10.1.35 - some NAT'd server
81.10.1.36 - some NAT'd server
81.10.1.37 - some NAT'd server
81.10.1.38 - some NAT'd server
81.10.1.39 - some NAT'd server
81.10.1.40 - VRRP/Cluster address of cluster
81.10.1.41 - Address of cluster HA1
81.10.1.42 - Address of cluster HA2
81.10.1.43 - some NAT'd server
81.10.1.44 - some NAT'd server
81.10.1.45 - some NAT'd server
81.10.1.46 - some NAT'd server
Now you ask the ISP for another 16 addresses and they provide you with
82.11.20.64/28 (82.11.20.64 - 82.11.20.80)
What you want is for the ISP to add a static route to your local router
(81.10.1.33) as follows:
82.11.20.64/28 via 81.10.1.40
This is ALL you need. No additional interfaces on the router, cluster or
anywhere else. No extra VRRP or cluster addresses. You don't even need to
add routes on the cluster (if it's Nokia) for the NAT targets, although I
still prefer to do this as the comment field allows extra information to be
recorded for debugging later.
No ISP should have a problem with this configuration. This is the easiest
way to simply add addresses for use as bastion server NAT's (they'll work
fine for both Hide and Static NAT entries).
Hope this clears up your block. Mail again if you need any more help.
Steve
On 30/6/08 21:55, "Previtera, Sal" <Sal.Previtera@WTH.org> wrote:
>
> Thanks Steve for you reply...
> I understand the NAT portion and agree but I am having a "mental block"
> right now on the basic TCP/IP.
>
> The ISP Upstream router is using the first IP address of this new block
> of addressees ... I can get to it that far.
>
> When you say
> "
> When you get a new block of addresses, you simply need to get your ISP
> to
> route the new block to the external address of your firewall. If you
> have
> an HA pair, that would be the VRRP address of the external interfaces.
> "
>
> Do you mean have it route it to the old (original) VVRP address since I
> do have HA pair?
>
> Or
>
> Do I need to add a secondary IP (alias) address to the external
> interface on each gateway in the cluster since it already has an IP
> address assigned from the original range?
>
> I am getting confused because I keep thinking that something in the
> firewall cluster need to be configured with this new IP scheme in order
> to route correctly.
>
> Thanks,
> Sal.
>
>
> -----Original Message-----
> From: Stephen Bourike [mailto:steve@surfshak.co.uk]
> Sent: Monday, June 30, 2008 2:59 PM
> To: Mailing list for discussion of Firewall-1; Previtera, Sal
> Cc: Stephen Bourike
> Subject: Re: [FW-1] non-continuous Public Address ranges in
> SPLAT...Cluster XL
>
>
> Sal
>
> There is nothing magical or difficult about this - you simply need to
> separate the networking from the NAT in your head.
>
> The Check Point documents and certification courses (and many other
> vendors
> documentation and training) imply that the routing and NAT for public
> addresses are intrinsically linked. Indeed, the advent of simplified
> policies and automatic ARP for NAT makes it seem even more like they are
> one
> and the same thing.
>
> They are NOT.
>
> The firewall (any firewall) can NAT any packet that passes through it.
> The
> important part of this last sentence is the "that passes through it".
> NOT
> "that it has an arp for" or "that is contiguous with the address block
> on
> the external interface" or anything else.
>
> When you get a new block of addresses, you simply need to get your ISP
> to
> route the new block to the external address of your firewall. If you
> have
> an HA pair, that would be the VRRP address of the external interfaces.
>
> This will bring the traffic to your firewall. From there, you need ONLY
> have NAT rules that control the translations that you need.
>
> YOU DO NOT NEED TO DO ANYTHING WITH AUTOMATIC OR PROXY ARPs !!
>
> Simple huh !
>
> Oh, and best of all, you DON'T lose the network and broadcast addresses
> from
> that routed subnet, so you get an extra couple of free addresses to boot
> !
>
> Hope that this helps.
>
>
> Steve Bourike
> Applied Security Consulting Limited
> htp://www.appliedsecurity.co.uk
>
>
> On 30/6/08 20:10, "Previtera, Sal" <Sal.Previtera@WTH.ORG> wrote:
>
>> Hello,
>> Possibly this may have been discussed before, if anyone can give me
>> hints or point to the right documents will be greatly appreciated;
>>
>> We have run out of Public IP address in our range we had on the
> Internet
>> side, so we had to purchase additional IP address.
>> But the range is not continuous from our previous ones;
>>
>> 1. How do we add the addition IP range to be recognized by the
>> Checkpoint FW cluster, since it will be used to translate additional
>> host inside. Do I add a secondary IP address to the external Interface
>> within this new range, on each of gateway on the Cluster?
>> 2. Do I need to create an additional Virtual IP address for the
>> Cluster on this new range?
>>
>> Thank you all for your input....
>>
>>
>>
>>
>>
>> Scanned by Check Point Total Security Gateway.
>>
>>
>>
>> =================================================
>> To set vacation, Out-Of-Office, or away messages,
>> send an email to LISTSERV@amadeus.us.checkpoint.com
>> in the BODY of the email add:
>> set fw-1-mailinglist nomail
>> =================================================
>> To unsubscribe from this mailing list,
>> please see the instructions at
>> http://www.checkpoint.com/services/mailing.html
>> =================================================
>> If you have any questions on how to change your
>> subscription options, email
>> fw-1-owner@ts.checkpoint.com
>> =================================================
>
>
Scanned by Check Point Total Security Gateway.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic