[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] Firewall-1, two ext. NIC's and T-1 migration...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings, I'd like to ask the list for comments on following scenario: A client of mine currently has a Firewall-1 box (NT based) and a dedicated T-1 connection. He's planning on migrating seamlessly (that means not loosing Internet connection for his hosting services) to a different ISP. The thought is this: Firewall-1 stays where it is. The external NIC connects to the router. The plan is to throw a hub in between and hang the new router off that. NT will be configured with a second IP address on the external interface. The internal network is NAT'ed with private addresses. All FW-1 objects will be duplicated with the new IP addressing. By that I mean, Host1 has the internal IP address 192.168.192.168. His NAT address is 10.10.10.10 (in this example. It is of course the virtual external IP address from ISP A). The plan is to create an object Host1-b with the same internal address, but with the new NAT address, 20.20.20.20 (address provided by ISP B). The rule set will basically allow incoming HTTP connections to Host1, and also Host1-b. Now, what 'should happen' for incoming connections is this. If the FW receives a packet from 9.9.9.9 to 20.20.20.20, it will NAT it to 9.9.9.9->192.168.192.168. The responses will be NAT'ed from 192.168.192.168->9.9.9.9 back to 20.20.20.20->9.9.9.9. The state table is able to keep the different virtual IP addresses apart. The NAT'ed packets will end up on the same interface with different source IP addresses (depending if those are responses from packets coming from ISP A or B). I assume the external I/F would be configured with 10.10.10.10, default gateway 10.10.10.1 (as it is now), and 20.20.20.20, default gateway 20.20.20.1. My concern is that packets might not be routed to the correct router due to 2 different default gateways. Would it be better to install a second 'external' NIC in the FW? (I'd like to avoid that) I'm sure some of you have done migration like this. Are there issues you have encountered? Anything in particular to watch out for? I'm planning on testing this in a lab first, but wanted to check if you have any comments on this. Regards, Frank -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.8 Comment: PGP or S/MIME encrypted email preferred. iQA/AwUBOt3ySpytSsEygtEFEQKq7ACeMaQ/FaLCHVPPQxKZEVT5p3GrtBIAn2Gl XroGR6DZfEuT9exbicN/12Fq =3rQn -----END PGP SIGNATURE----- ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|