Re: adding new ip range to fw-1
From: Joey D (joeydocherty2404_at_hotmail.com)
Date: 04/01/05
- Next message: Woody: "Re: Zone alarm - bad experience"
- Previous message: John Mason Jr: "Re: Watchguard default network"
- Next in thread: Joey D: "Re: adding new ip range to fw-1"
- Maybe reply: Joey D: "Re: adding new ip range to fw-1"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 31 Mar 2005 15:15:24 -0800
Hi - thanks for your reply. Please see my comments below...
Joe
Michael Pelletier <mjpelletier@mjpelletier.com> wrote in message news:<sk91e.4104$AN1.3183@fed1read03>...
> Joey D wrote:
>
> > Hi,
> >
> > We have just been given an additional ip address range from our ISP
> > due to reaching capacity on our existing range.
> > Having just assigned one of these new ip addresses to an internal host
> > I am unable to connect from the outside world. If I assign one of the
> > existing ip addresses to the host I can connect with no problems.
> >
> > Do I have to configure something in FW-1 to get it to recognise and
> > accept packets destined for this new network?
>
> ah...ya! Remember you are ADDING another subnet. You MUST cofigure your
> equipment, firewalls rules and routing to accomplish this....
>
-- The new range is purley so that we can map internal hosts with
external public ip addresses.
-- My first problem was that the internet facing router had not been
configured by our ISP. This has been done now and I can ping it.
My firewall is a nokia ip with ng ai r55 (dual fw in ha - vrrp). I
also manually configured both firewalls (via ipso) with the next 2 ip
addresses in the new range (the first being that of the external
router). I'm presuming this is standard practice but HAVE NOT
configured any routes - should I be?
The FWs are obviously defined as a cluster object in FW-1. I
configured each of the FW objects with a new interface in the topology
(externally facing) with their respective ip address (as defined in
ipso) - these interfaces are configured as non-clustered.
Finally I created a network object for the new range.
> > The new range is of the same class but a different sub network. I have
> > attempted to add the range to the FW cluster object in the topology
> > and also assigned an ip address to the nokia ip380 ipso 3.8.
>
> No idea what your are talking about. Sounds like you added the subnet to the
> firewall? How? Did you add the subnet to a new DMZ interface? Did you try
> to supernet the subnets together (contigous range?). Please specify. DOn't
> forget you also have to modify your firewall rules too!
>
-- The new range is not contigous with the current. I have simply
created a network object and defined it there. I can't see what other
options I have here.
>
> > ... but no luck as yet trying to establish an external connection.
> >
> > When I try to tracert to one of the new addresses it seems to stop
> > short at a router in the ISP. Perhaps they haven't configured the new
> > range to route through our existing router(?).
>
I am able to tracert to any of the new addresses now within my network
but externally everything stops at the external router interface. If I
change one of the nat rules to use an existing ip address I can get
through and it works as expected.
I've gone through every setting trying to compare the differences to
our existing range/config with the new but am having no luck!
Could it be a routing issue?
> It is posible or you have not configured your routing or firewall rules
> correctly. I really need more information...
>
> > Can someone kindly guide me please?
>
> Send more information....
>
> > Many thanks,
> >
> > Joe
>
> Michael
Many thanks for any help.
Joe
- Next message: Woody: "Re: Zone alarm - bad experience"
- Previous message: John Mason Jr: "Re: Watchguard default network"
- Next in thread: Joey D: "Re: adding new ip range to fw-1"
- Maybe reply: Joey D: "Re: adding new ip range to fw-1"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
