Checkpoint Static Route

As your description, I assume your topology is like the draw below

172.16.0.0 172.18.0.0 WAN -- Firewall --------------- router ----------- New Office

The rule for traffic between 172.16.0.0 / 21 and 172.18.0.0 is not necessary and you can delete it. You got the "Address Spoofing" becase you didn't let Checkpoint know how many subnets are behind firewall. Create a network group and add 172.16.0.0/21 and 172.18.0.0/21 to that group. At the properties of internal interface, define that network group as a specific interface behind that interface. Good Luck

Dophi, Thanks very much for the tip. Tried that and it did not help. Any other ideas to my dilemma are most welcome.

-fitz

If there is only one default gateway of your clients in 172.16.0.0/21 and no other routes in clients. The data flow of ICMP of client A in 172.16.0.0/21 to client B in

172.18.0.0/21 should be "client A --> firewall --> router --> client B". Then, the data flow of client B response ICMP should be "client B -->

router --> client A"

So, you need two more steps as below

1. Add a rull to accept a bi-directional traffic between 172.16.0.0/21 and 172.18.0.0/21.
2. At the Stateful Inspection of Global Properties, uncheck "Drop out of state TCP, UDP, ICMP packets"

I hope this can help you. : )

Dophi, Thanks very much, did all that and no joy. I can almost feel the packets trying so hard to go where I want them to go despite my lack of knowledge. I think the best thing for me is to just change the default gateway for all the workstations and servers to the Router. Then let the router handle things from there. I'm starting to do that now and it is working fine...just have to configure the default gateway on 56 servers and try not to break anything in the process. thanks again.

-fitz