Member Avatar for clubsprint

Hi
I've recently tried to install a new Firewall for my organization.
I've launched into the upgrade as the existing Firewall has had some corruptions and can no longer be managed. Existing Firewall is Checkpoint FW-1 NG on Win2K and the new Firewall is Checkpoint NGX R65 running on Win2003sp2.
After days hacking the old config files to extract the object/port info and importing this into the new version I was ready to switch over last Friday night. Did the switch over and although everything seemed to be working I had major communication issues. We have our own public class B network so I don't have to concern myself with NAT.
There are four interfaces on my Firewall. Internet, DMZ, Orglink and LAN. Each interface connect to a Cisco router except for the DMZ which connects straight to my DMZ switch. The Firewall is also my DNS server. I found I couldn't resolve any addresses due to the
DNS not being able to communicate to the upstream ISP provided DNS servers. I couldn't
ping/trace to any address on the other side of the any of the routers.
When I looked at a "route print" and compared it to the old Firewall there was some differences but it looked almost identical. There were some persistent routes I had set up.
Setup looks like this

Firewall Interface Int-->Internet Router-->internet
160.65.13.202 160.65.13.201

Firewall Interface DMZ-->DMZ Switch--->DMZ
160.65.12.202 no IP 160.65.12.0/24

Firewall Interface LAN-->LAN Choke Router-->LAN Switch
160.65.12.202 160.65.12.201 160.65.1.0/22

Firewall Interface Orglink-->Orglink Router-->Orglink Network
160.65.11.202 160.65.11.201 Various networks persistent routes


Anything that I tried to ping from the Firewall on the 160.65.1.0/22 network resulted in a "destination netork unreachable" message. Similar for internet and Orglink addresses. DMZ addresses responded to ping requests. I eventually did a "route add" for every line that was displayed in the "route print" command on the old firewall and everything started to work but this is less than desireable. I've never had to do this kind of routre addition on the old Firewall so can anyone tell me what is wrong/changed for routing on 2003?

Mark

  • 2 Contributors
  • 1 Reply
  • 131 Views
  • 5 Days Discussion Span
  • Latest Post Latest Post by Spriggan
Member Avatar for Spriggan

This baffles me.

I'ts like it locked down all the seperate segments to protect the DMZ addresses.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.