1. If you get addresses with a /30, you do NOT have extra addresses (/30
gives you 4, one for the broadcast, one for the network, one for the router,
one for the firewall).
2. This duplicate address problem is why the Cisco PIX has an 'alias'
command.
3. You really should look at using DHCP and a private address space for
your internal network.
4. Splitting your Class C by using a /30 mask is an interesting option.
194.217.66.252/30 for the external network
194.217.66.253 for the router
194.217.66.254 for the outside NIC on the firewall
194.217.66.255 for the external broadcast
194.217.66.0 for the internal network
194.217.66.1 for the internal NIC on the firewall
194.217.66.?? for the internal
Not sure if the routing would work right... but it might be fun to try...
You might have to specify multiple addresses on the inside... hm..
or how about this.
router - tiny network - firewall - tiny network - second router - internal
network
You could probably do that and full some NAT on the inside router to fix all
your worries, but that sure complicates things... see suggestion 2. It's
honestly the best solution, IMHO.
my .02
-----Original Message-----
From: Matthew G. Harrigan [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, November 03, 1999 2:14 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: Same Class C both sides of a Firewall? (Newbie question)
Get your ISP to assign you a small usable, routable address space (/29 or
/30),
and give the outside interface of the firewall an address out of that pool,
while
establishing default routes in the firewall back to the router. This will
also leave you
with potential address space for a dmz (thinking ahead if you don't already
have one).
----- Original Message -----
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, November 03, 1999 4:25 AM
Subject: Same Class C both sides of a Firewall? (Newbie question)
>
>
>
>
>
> I am trying to replace a Guardian Firewall with Checkpoint Firewall 1
(v4). The
> router's IP address is 194.217.66.1, as is the internal network card on
the
> firewall. Guardian sets up a Virtual adapter to allow this to happen.
> Unfortunately, Firewall-1 doesn't work the same way and I'm now banging my
head
> on the wall trying to work this out. The only alternative is to assign a
> private Class C internally but as all addresses are currently static this
would
> mean updating a couple of hundred workstations.
>
> The Guardian Firewall's ARP ini file looks like this:
>
> [Common]
> Virt_Router_IP_Address=192.168.1.2 (adapter's default gateway IP)
> Real_Router_IP_Address=194.217.66.1 (router's IP Address)
> GuardianIPAddress=194.217.66.244 (adapter's virtual IP)
> DefaultARP=NO
>
> What it physically looks like is:
>
> Cisco Router (194.217.66.1) > FW External NIC (192.168.1.2) >FW Internal
NIC
> (194.217.66.1)
>
> Can this be done?
>
> Mick
>
> E-MAIL DISCLAIMER: The information in this e-mail is confidential and may
be
> legally privileged. It is intended solely for the addressee and access to
the
> e-mail by anyone else is unauthorised. If you are not the intended
recipient,
> any disclosure, copying, distribution or any action taken or omitted to be
taken
> in reliance on it, is prohibited and may be unlawful. When addressed to
our
> clients, any opinions or advice contained in this e-mail are subject to
the
> terms and conditions expressed in the governing client engagement letter
or
> contract. If you have received this is e-mail in error please forward to
> [EMAIL PROTECTED]
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
