Firewall and IP forwarding

Hello. I am very new to all of this and I am not sure if these are even
the
appropriate groups for this question....if not, I apologize in advance and
please feel free to point me in the right direction.

I administering small network with internal IP 192.168.0.0(255.255.255.0).
My ISP installed ADSL modem/Router with internal IP 212.150.151.124.



The ultimate goal here is to install CheckPoint Firewall-1 on NT4.0
server, which will be gateway of my internal network. I have installed NT4.0
Server on the computer I want use as firewall (FW) with next configuration:



1-th NIC – External: IP 212.150.151.123

Subnet mask 255.255.255.248

Gateway 212.150.151.124 (Internal IP of the router)

2-th NIC- Internal: IP 192.168.0.10

Subnet mask 255.255.255.0

Gateway left blank

IP Forwarding box is currently checked-in (enabled).

From the FW I access Internet without problems.



In the manuals it’s highly recommended to test connection from internal
LAN to Internet through firewall machine before installation of FireWall.

So I connected a laptop with following IP configuration to internal
interface of FW machine to test the connection from inner LAN to the router.



IP 192.168.0.2

Subnet mask 255.255.255.0

Gateway 192.168.0.10 (Internal IP of the FW machine)



From the client I successfully sent ping to both internal and external
interfaces of FW machine (192.168.0.10 and 212.150.151.123), but when I
tried send ping to internal interface of the router (212.150.151.124) it was
not successful, therefore

1-th question – do I need to define static route on FW machine, or FireWall
will take care of the routing after installation by itself?

Defining static route, as it was written in manual did not solve the
problem. Furthermore my client lost connection to external interface of the
FW machine (212.150.151.123).

Here is the main question what subnet exactly must I make static route for?
(And how?)

I did try some variations of static routes but with no result.

I even Installed Win2K server on FW machine and enabled Internet connections
sharing and it worked perfectly – client browsed Internet freely. So I guess
there is some static route problem.

Another possibility is that my router drops packets from illegal IP’s if
there is no NAT between router and client with 192.168.0.2 address. That’s
why it did work with W2K server, and does not work with NT4.0 Server before
I install FireWall on it.



Please help me.

Thank you in advance

Gennady.




gena

You cannot route private addresses through the Internet. Internet routers
are programmed to discard them because they are not unique.

You need either proxy or NAT software to enable private IPs to access
the Internet. Checkpoint should do that for you when it is installed. NT4
did not include this software as standard. W2k includes ICS and RRAS/NAT for
this purpose.

"gena" <(E-Mail Removed)> wrote in message
news:uiWxwaJ$(E-Mail Removed)...
> Hello. I am very new to all of this and I am not sure if these are even
> the
> appropriate groups for this question....if not, I apologize in advance and
> please feel free to point me in the right direction.
>
> I administering small network with internal IP
192.168.0.0(255.255.255.0).
> My ISP installed ADSL modem/Router with internal IP 212.150.151.124.
>
>
>
> The ultimate goal here is to install CheckPoint Firewall-1 on NT4.0
> server, which will be gateway of my internal network. I have installed
NT4.0
> Server on the computer I want use as firewall (FW) with next
configuration:
>
>
>
> 1-th NIC - External: IP 212.150.151.123
>
> Subnet mask 255.255.255.248
>
> Gateway 212.150.151.124 (Internal IP of the
router)
>
> 2-th NIC- Internal: IP 192.168.0.10
>
> Subnet mask 255.255.255.0
>
> Gateway left blank
>
> IP Forwarding box is currently checked-in (enabled).
>
> From the FW I access Internet without problems.
>
>
>
> In the manuals it's highly recommended to test connection from internal
> LAN to Internet through firewall machine before installation of FireWall.
>
> So I connected a laptop with following IP configuration to internal
> interface of FW machine to test the connection from inner LAN to the
router.
>
>
>
> IP 192.168.0.2
>
> Subnet mask 255.255.255.0
>
> Gateway 192.168.0.10 (Internal IP of the FW machine)
>
>
>
> From the client I successfully sent ping to both internal and external
> interfaces of FW machine (192.168.0.10 and 212.150.151.123), but when I
> tried send ping to internal interface of the router (212.150.151.124) it
was
> not successful, therefore
>
> 1-th question - do I need to define static route on FW machine, or
FireWall
> will take care of the routing after installation by itself?
>
> Defining static route, as it was written in manual did not solve the
> problem. Furthermore my client lost connection to external interface of
the
> FW machine (212.150.151.123).
>
> Here is the main question what subnet exactly must I make static route
for?
> (And how?)
>
> I did try some variations of static routes but with no result.
>
> I even Installed Win2K server on FW machine and enabled Internet
connections
> sharing and it worked perfectly - client browsed Internet freely. So I
guess
> there is some static route problem.
>
> Another possibility is that my router drops packets from illegal IP's if
> there is no NAT between router and client with 192.168.0.2 address. That's
> why it did work with W2K server, and does not work with NT4.0 Server
before
> I install FireWall on it.
>
>
>
> Please help me.
>
> Thank you in advance
>
> Gennady.
>
>

Thank you.
But how then I suppose to test connectivity through future FireWall computer
before I install NAT comming with this FireWall?
It was HIGHLY recommended in manual ... Do they mean I need client with
legal IP adress for this?
"Bill Grant" <not.available@online> wrote in message
news:Oe959LN$(E-Mail Removed)...
> You cannot route private addresses through the Internet. Internet
routers
> are programmed to discard them because they are not unique.
>
> You need either proxy or NAT software to enable private IPs to access
> the Internet. Checkpoint should do that for you when it is installed. NT4
> did not include this software as standard. W2k includes ICS and RRAS/NAT
for
> this purpose.
>
> "gena" <(E-Mail Removed)> wrote in message
> news:uiWxwaJ$(E-Mail Removed)...
> > Hello. I am very new to all of this and I am not sure if these are
even
> > the
> > appropriate groups for this question....if not, I apologize in advance
and
> > please feel free to point me in the right direction.
> >
> > I administering small network with internal IP
> 192.168.0.0(255.255.255.0).
> > My ISP installed ADSL modem/Router with internal IP 212.150.151.124.
> >
> >
> >
> > The ultimate goal here is to install CheckPoint Firewall-1 on NT4.0
> > server, which will be gateway of my internal network. I have installed
> NT4.0
> > Server on the computer I want use as firewall (FW) with next
> configuration:
> >
> >
> >
> > 1-th NIC - External: IP 212.150.151.123
> >
> > Subnet mask 255.255.255.248
> >
> > Gateway 212.150.151.124 (Internal IP of the
> router)
> >
> > 2-th NIC- Internal: IP 192.168.0.10
> >
> > Subnet mask 255.255.255.0
> >
> > Gateway left blank
> >
> > IP Forwarding box is currently checked-in (enabled).
> >
> > From the FW I access Internet without problems.
> >
> >
> >
> > In the manuals it's highly recommended to test connection from
internal
> > LAN to Internet through firewall machine before installation of
FireWall.
> >
> > So I connected a laptop with following IP configuration to internal
> > interface of FW machine to test the connection from inner LAN to the
> router.
> >
> >
> >
> > IP 192.168.0.2
> >
> > Subnet mask 255.255.255.0
> >
> > Gateway 192.168.0.10 (Internal IP of the FW machine)
> >
> >
> >
> > From the client I successfully sent ping to both internal and external
> > interfaces of FW machine (192.168.0.10 and 212.150.151.123), but when I
> > tried send ping to internal interface of the router (212.150.151.124) it
> was
> > not successful, therefore
> >
> > 1-th question - do I need to define static route on FW machine, or
> FireWall
> > will take care of the routing after installation by itself?
> >
> > Defining static route, as it was written in manual did not solve the
> > problem. Furthermore my client lost connection to external interface of
> the
> > FW machine (212.150.151.123).
> >
> > Here is the main question what subnet exactly must I make static route
> for?
> > (And how?)
> >
> > I did try some variations of static routes but with no result.
> >
> > I even Installed Win2K server on FW machine and enabled Internet
> connections
> > sharing and it worked perfectly - client browsed Internet freely. So I
> guess
> > there is some static route problem.
> >
> > Another possibility is that my router drops packets from illegal IP's if
> > there is no NAT between router and client with 192.168.0.2 address.
That's
> > why it did work with W2K server, and does not work with NT4.0 Server
> before
> > I install FireWall on it.
> >
> >
> >
> > Please help me.
> >
> > Thank you in advance
> >
> > Gennady.
> >
> >
>
>

If you really want to be sure, you will need to use a registered IP or
some sort of NAT software. But surely there is some way to check it after
you install the firewall software but before you enable all the filtering?

"gena" <(E-Mail Removed)> wrote in message
news:utVCHMp$(E-Mail Removed)...
> Thank you.
> But how then I suppose to test connectivity through future FireWall
computer
> before I install NAT comming with this FireWall?
> It was HIGHLY recommended in manual ... Do they mean I need client with
> legal IP adress for this?
> "Bill Grant" <not.available@online> wrote in message
> news:Oe959LN$(E-Mail Removed)...
> > You cannot route private addresses through the Internet. Internet
> routers
> > are programmed to discard them because they are not unique.
> >
> > You need either proxy or NAT software to enable private IPs to
access
> > the Internet. Checkpoint should do that for you when it is installed.
NT4
> > did not include this software as standard. W2k includes ICS and RRAS/NAT
> for
> > this purpose.
> >
> > "gena" <(E-Mail Removed)> wrote in message
> > news:uiWxwaJ$(E-Mail Removed)...
> > > Hello. I am very new to all of this and I am not sure if these are
> even
> > > the
> > > appropriate groups for this question....if not, I apologize in advance
> and
> > > please feel free to point me in the right direction.
> > >
> > > I administering small network with internal IP
> > 192.168.0.0(255.255.255.0).
> > > My ISP installed ADSL modem/Router with internal IP 212.150.151.124.
> > >
> > >
> > >
> > > The ultimate goal here is to install CheckPoint Firewall-1 on NT4.0
> > > server, which will be gateway of my internal network. I have installed
> > NT4.0
> > > Server on the computer I want use as firewall (FW) with next
> > configuration:
> > >
> > >
> > >
> > > 1-th NIC - External: IP 212.150.151.123
> > >
> > > Subnet mask 255.255.255.248
> > >
> > > Gateway 212.150.151.124 (Internal IP of the
> > router)
> > >
> > > 2-th NIC- Internal: IP 192.168.0.10
> > >
> > > Subnet mask 255.255.255.0
> > >
> > > Gateway left blank
> > >
> > > IP Forwarding box is currently checked-in (enabled).
> > >
> > > From the FW I access Internet without problems.
> > >
> > >
> > >
> > > In the manuals it's highly recommended to test connection from
> internal
> > > LAN to Internet through firewall machine before installation of
> FireWall.
> > >
> > > So I connected a laptop with following IP configuration to internal
> > > interface of FW machine to test the connection from inner LAN to the
> > router.
> > >
> > >
> > >
> > > IP 192.168.0.2
> > >
> > > Subnet mask 255.255.255.0
> > >
> > > Gateway 192.168.0.10 (Internal IP of the FW machine)
> > >
> > >
> > >
> > > From the client I successfully sent ping to both internal and external
> > > interfaces of FW machine (192.168.0.10 and 212.150.151.123), but when
I
> > > tried send ping to internal interface of the router (212.150.151.124)
it
> > was
> > > not successful, therefore
> > >
> > > 1-th question - do I need to define static route on FW machine, or
> > FireWall
> > > will take care of the routing after installation by itself?
> > >
> > > Defining static route, as it was written in manual did not solve the
> > > problem. Furthermore my client lost connection to external interface
of
> > the
> > > FW machine (212.150.151.123).
> > >
> > > Here is the main question what subnet exactly must I make static
route
> > for?
> > > (And how?)
> > >
> > > I did try some variations of static routes but with no result.
> > >
> > > I even Installed Win2K server on FW machine and enabled Internet
> > connections
> > > sharing and it worked perfectly - client browsed Internet freely. So I
> > guess
> > > there is some static route problem.
> > >
> > > Another possibility is that my router drops packets from illegal IP's
if
> > > there is no NAT between router and client with 192.168.0.2 address.
> That's
> > > why it did work with W2K server, and does not work with NT4.0 Server
> > before
> > > I install FireWall on it.
> > >
> > >
> > >
> > > Please help me.
> > >
> > > Thank you in advance
> > >
> > > Gennady.
> > >
> > >
> >
> >
>
>

Only by enabling NAT in Firewall configuration before defining access rules
I guess.
Thank you.
"Bill Grant" <not.available@online> wrote in message
news:eg2Ygxy$(E-Mail Removed)...
> If you really want to be sure, you will need to use a registered IP or
> some sort of NAT software. But surely there is some way to check it after
> you install the firewall software but before you enable all the filtering?
>
> "gena" <(E-Mail Removed)> wrote in message
> news:utVCHMp$(E-Mail Removed)...
> > Thank you.
> > But how then I suppose to test connectivity through future FireWall
> computer
> > before I install NAT comming with this FireWall?
> > It was HIGHLY recommended in manual ... Do they mean I need client with
> > legal IP adress for this?
> > "Bill Grant" <not.available@online> wrote in message
> > news:Oe959LN$(E-Mail Removed)...
> > > You cannot route private addresses through the Internet. Internet
> > routers
> > > are programmed to discard them because they are not unique.
> > >
> > > You need either proxy or NAT software to enable private IPs to
> access
> > > the Internet. Checkpoint should do that for you when it is installed.
> NT4
> > > did not include this software as standard. W2k includes ICS and
RRAS/NAT
> > for
> > > this purpose.
> > >
> > > "gena" <(E-Mail Removed)> wrote in message
> > > news:uiWxwaJ$(E-Mail Removed)...
> > > > Hello. I am very new to all of this and I am not sure if these are
> > even
> > > > the
> > > > appropriate groups for this question....if not, I apologize in
advance
> > and
> > > > please feel free to point me in the right direction.
> > > >
> > > > I administering small network with internal IP
> > > 192.168.0.0(255.255.255.0).
> > > > My ISP installed ADSL modem/Router with internal IP
212.150.151.124.
> > > >
> > > >
> > > >
> > > > The ultimate goal here is to install CheckPoint Firewall-1 on
NT4.0
> > > > server, which will be gateway of my internal network. I have
installed
> > > NT4.0
> > > > Server on the computer I want use as firewall (FW) with next
> > > configuration:
> > > >
> > > >
> > > >
> > > > 1-th NIC - External: IP 212.150.151.123
> > > >
> > > > Subnet mask 255.255.255.248
> > > >
> > > > Gateway 212.150.151.124 (Internal IP of the
> > > router)
> > > >
> > > > 2-th NIC- Internal: IP 192.168.0.10
> > > >
> > > > Subnet mask 255.255.255.0
> > > >
> > > > Gateway left blank
> > > >
> > > > IP Forwarding box is currently checked-in (enabled).
> > > >
> > > > From the FW I access Internet without problems.
> > > >
> > > >
> > > >
> > > > In the manuals it's highly recommended to test connection from
> > internal
> > > > LAN to Internet through firewall machine before installation of
> > FireWall.
> > > >
> > > > So I connected a laptop with following IP configuration to
internal
> > > > interface of FW machine to test the connection from inner LAN to the
> > > router.
> > > >
> > > >
> > > >
> > > > IP 192.168.0.2
> > > >
> > > > Subnet mask 255.255.255.0
> > > >
> > > > Gateway 192.168.0.10 (Internal IP of the FW machine)
> > > >
> > > >
> > > >
> > > > From the client I successfully sent ping to both internal and
external
> > > > interfaces of FW machine (192.168.0.10 and 212.150.151.123), but
when
> I
> > > > tried send ping to internal interface of the router
(212.150.151.124)
> it
> > > was
> > > > not successful, therefore
> > > >
> > > > 1-th question - do I need to define static route on FW machine, or
> > > FireWall
> > > > will take care of the routing after installation by itself?
> > > >
> > > > Defining static route, as it was written in manual did not solve
the
> > > > problem. Furthermore my client lost connection to external interface
> of
> > > the
> > > > FW machine (212.150.151.123).
> > > >
> > > > Here is the main question what subnet exactly must I make static
> route
> > > for?
> > > > (And how?)
> > > >
> > > > I did try some variations of static routes but with no result.
> > > >
> > > > I even Installed Win2K server on FW machine and enabled Internet
> > > connections
> > > > sharing and it worked perfectly - client browsed Internet freely. So
I
> > > guess
> > > > there is some static route problem.
> > > >
> > > > Another possibility is that my router drops packets from illegal
IP's
> if
> > > > there is no NAT between router and client with 192.168.0.2 address.
> > That's
> > > > why it did work with W2K server, and does not work with NT4.0 Server
> > > before
> > > > I install FireWall on it.
> > > >
> > > >
> > > >
> > > > Please help me.
> > > >
> > > > Thank you in advance
> > > >
> > > > Gennady.
> > > >
> > > >
> > >
> > >
> >
> >
>
>