Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] Firewall-1, two ext. NIC's and T-1 migration...

To: [email protected]
Subject: [FW1] Firewall-1, two ext. NIC's and T-1 migration...
From: Frank Knobbe <[email protected]>
Date: Wed, 18 Apr 2001 15:00:11 -0500
Sender: [email protected]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings,

I'd like to ask the list for comments on following scenario:

A client of mine currently has a Firewall-1 box (NT based) and a
dedicated T-1 connection. He's planning on migrating seamlessly (that
means not loosing Internet connection for his hosting services) to a
different ISP. The thought is this: Firewall-1 stays where it is. The
external NIC connects to the router. The plan is to throw a hub in
between and hang the new router off that. NT will be configured with
a second IP address on the external interface. The internal network
is NAT'ed with private addresses. All FW-1 objects will be duplicated
with the new IP addressing. By that I mean, Host1 has the internal IP
address 192.168.192.168. His NAT address is 10.10.10.10 (in this
example. It is of course the virtual external IP address from ISP A).
The plan is to create an object Host1-b with the same internal
address, but with the new NAT address, 20.20.20.20 (address provided
by ISP B). The rule set will basically allow incoming HTTP
connections to Host1, and also Host1-b.

Now, what 'should happen' for incoming connections is this. If the FW
receives a packet from 9.9.9.9 to 20.20.20.20, it will NAT it to
9.9.9.9->192.168.192.168. The responses will be NAT'ed from
192.168.192.168->9.9.9.9 back to 20.20.20.20->9.9.9.9. The state
table is able to keep the different virtual IP addresses apart. The
NAT'ed packets will end up on the same interface with different
source IP addresses (depending if those are responses from packets
coming from ISP A or B). I assume the external I/F would be
configured with 10.10.10.10, default gateway 10.10.10.1 (as it is
now), and 20.20.20.20, default gateway 20.20.20.1. My concern is that
packets might not be routed to the correct router due to 2 different
default gateways.

Would it be better to install a second 'external' NIC in the FW? (I'd
like to avoid that)

I'm sure some of you have done migration like this. Are there issues
you have encountered? Anything in particular to watch out for? I'm
planning on testing this in a lab first, but wanted to check if you
have any comments on this.

Regards,
Frank



-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME encrypted email preferred.

iQA/AwUBOt3ySpytSsEygtEFEQKq7ACeMaQ/FaLCHVPPQxKZEVT5p3GrtBIAn2Gl
XroGR6DZfEuT9exbicN/12Fq
=3rQn
-----END PGP SIGNATURE-----


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] Simple firewall question
Next by Date: RE: [FW1] Multicast address
Previous by thread: [FW1] Simple firewall question
Next by thread: [FW1] Can't connect VIA GUI client and Voyager
Index(es):
- Date
- Thread