1. Home
  2. Networking Firewalls
  3. adding new ip range to fw-1

adding new ip range to fw-1

Hi,

We have just been given an additional ip address range from our ISP due to reaching capacity on our existing range. Having just assigned one of these new ip addresses to an internal host I am unable to connect from the outside world. If I assign one of the existing ip addresses to the host I can connect with no problems.

Do I have to configure something in FW-1 to get it to recognise and accept packets destined for this new network?

The new range is of the same class but a different sub network. I have attempted to add the range to the FW cluster object in the topology and also assigned an ip address to the nokia ip380 ipso 3.8.

.... but no luck as yet trying to establish an external connection.

When I try to tracert to one of the new addresses it seems to stop short at a router in the ISP. Perhaps they haven't configured the new range to route through our existing router(?).

Can someone kindly guide me please?

Many thanks,

Joe

Reply to
Joey D
Loading thread data ...

ah...ya! Remember you are ADDING another subnet. You MUST cofigure your equipment, firewalls rules and routing to accomplish this....

No idea what your are talking about. Sounds like you added the subnet to the firewall? How? Did you add the subnet to a new DMZ interface? Did you try to supernet the subnets together (contigous range?). Please specify. DOn't forget you also have to modify your firewall rules too!

It is posible or you have not configured your routing or firewall rules correctly. I really need more information...

Send more information....

Michael

Reply to
Michael Pelletier

-- The new range is purley so that we can map internal hosts with external public ip addresses.

-- My first problem was that the internet facing router had not been configured by our ISP. This has been done now and I can ping it. My firewall is a nokia ip with ng ai r55 (dual fw in ha - vrrp). I also manually configured both firewalls (via ipso) with the next 2 ip addresses in the new range (the first being that of the external router). I'm presuming this is standard practice but HAVE NOT configured any routes - should I be? The FWs are obviously defined as a cluster object in FW-1. I configured each of the FW objects with a new interface in the topology (externally facing) with their respective ip address (as defined in ipso) - these interfaces are configured as non-clustered. Finally I created a network object for the new range.

-- The new range is not contigous with the current. I have simply created a network object and defined it there. I can't see what other options I have here.

I am able to tracert to any of the new addresses now within my network but externally everything stops at the external router interface. If I change one of the nat rules to use an existing ip address I can get through and it works as expected. I've gone through every setting trying to compare the differences to our existing range/config with the new but am having no luck! Could it be a routing issue?

Many thanks for any help.

Joe

Reply to
Joey D

Update: I've been on the phone with my isp and ran through some tests. The router is working fine. Therefore it is a firewall issue.

Joe

Reply to
Joey D

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.