I seem to be in NAT hell. This rambles to a question about the
objects.C file record toward the bottom, the rest of this is
rational/history.
I've got a largish network, a routable Class B address space, that has
been happily using a single firewall with management station, both
running on Solaris.
We've brought up a second internet feed (serviced by a different ISP
from original link), and a second firewall to be managed but the same
management station. We've past the hurtles of BGP, etc without too much
pain.
The idea is to NAT all out-bound addresses at each gate to s specific
address range that is; a sub section of our Class B, and specific (and
unique) to the primary route to the link it is being sent out (e.g. so
packets leaving a specific link return there.)
Additionally since this network grew up as a single homed network,
there is no rigorous "plan" on IP address allocation. Re-ip'ing some
4000 nodes to logical separation is out of the question.
There are two distinct "areas" of our LAN, so obvious split is to
redirect the default route (zero route) of the primary router for each
are area to its adjacent firewall. As the sub-net addressing can appear
in both areas, the issue is that there are nodes from the same subnets
that could appear on each firewall to be NATed to differing addresses
depending on which router/firewall they are pointed at.
Add to this that there are address blocks that are not in use, and
should not be accepted/routed/nated by the firewalls.
(sigh)
By default if you NAT a sub-network to hide behind an address it will
be propagated to all firewalls. Now since my firewalls and management
station run the OpenLook GUI the "features" of "install on gateway"
aren't readily accessible via the GUI, and that there are some 150
distinct network (net) objects that need two definitions (actually
the numbers that actually overlap are fewer, but the possibilities
could extend to 30-50% of them) walking though the windows gui and
setting each of these by hand is tedious to say the least.
Now the question: (hey he finally got around to it!)
I would like to build a script(s) to build the network records for
each gateway, without having to build a xlate.conf file (as that looks
worse than trying to set these up by hand). I've got scripts that will
build a network object, so adding fields is trivial.
Modifying a given network with the windows GUI to "install on gateway"
seems to add the following to that record:
:the_firewalling_obj (
:type (refobj)
:refname ("#_gateway-name")
(where gateway-name is a specific firewall) Using the OpenLook GUI on
this record later does not seem to change this record.
Does anyone know if this is all that is needed to make a network
record specific to a given gateway?
I'm not adverse (well not totally) to using the windows gui, in the
future as the OL GUI seems to be all but abandoned by CheckPoint, bugs
and all (and fwiw the windows GUI is faster)... but I'm not where I
can use it currently for on going work, nor do I really want to do all
this crap by hand.
Anyone been down this road? Want to share the pothole map?
thanks,
fj..
--
"The days are just packed!" Calvin & Hobbes
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
