Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Partition off a class C within a 10.x.x.x RFC 1918 net

To: <[email protected]>, <[email protected]>
Subject: Re: [FW1] Partition off a class C within a 10.x.x.x RFC 1918 net
From: "Robert MacDonald" <[email protected]>
Date: Thu, 30 Nov 2000 23:02:06 -0500
Sender: [email protected]

Greg,

Create a network object for the 250 network with
the appropriate mask. Then place a new rule with the
250 network object before the general 10 object.

You shouldn't need to make any routing changes,
since all traffic for the 10.x.x.x that comes to the fw,
will be sent to the appropriate interface. The box will
route to the proper interface, because you setup the
interface with a specific mask.

Most systems will route from the most specific to the
least specific. In your case, it will check for the 250
network, then for the more general 10.x.x.x network(s).

Did I miss anything here?

Robert


- -
Robert P. MacDonald, Network Engineer
Team Lead, e-Business Infrastructure
G o r d o n   F o o d    S e r v i c e
Voice:email: [email protected]

>>> "Greg Winkler" <[email protected]> 11/30/00 3:32:22 PM >>>
>
>We use a 10.x.x.x network internally per RFC 1918. Up until today I've used
>a network object of 10.0.0.0 with a mask of 255.0.0.0 to refer to all of my
>internal hosts. It has been very convenient to use this in my rules, for
>example "internal any http accept". I now have a need to "partition off" a
>class C subnet from that 10.x.x.x range, for example 10.250.1.x. This class
>C net will become a fourth leg on a firewall, that can no longer be
>considered part of my "internal" network.
>
>My issue is how do I define an object or objects that will let me
>differentiate in my rules between my internal 10.x.x.x net and this oddball
>10.250.1.x net. Ideally I would have an object that included all of my
>10.x.x.x networks EXCEPT for 10.250.1.x. I've puzzled myself trying to come
>up with a subnetting scheme and a network object to no avail. The idea of
>actually creating object for my literally hundreds of internal 10.x.x.x
>networks is unappealing to say the least.
>
>My other option is to grab one of the other RFC 1918 nets and use this for
>the fourth leg. But that would be TOO easy and I wanted to see if there
>might be a way to do it some other fashion.




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: Re: [FW1] Nokia HA options
Next by Date: [FW1] Need help
Previous by thread: [FW1] Oracle FTP Problem
Next by thread: [FW1] Need help
Index(es):
- Date
- Thread