Members Login
Username 
 
Password 
    Remember Me  
FireWall-1 Gurus Forum -> FireWall-1 Gurus Forum -> Secureplatform NG-AI R55 and DHCP relay
Post Info TOPIC: Secureplatform NG-AI R55 and DHCP relay
ccseng2002


Status: Offline
Posts: 84
Date:
Secureplatform NG-AI R55 and DHCP relay
Permalink  


All,


I need your help on the following situation:


Network A: 172.18.1.0/24 (firewall ip is 172.18.1.254)


Network B: 172.17.1.0/24 (firewall ip is 172.17.1.254)


Network C: 172.16.1.0/24 (firewall ip is 172.16.1.254)


I have three networks separated by a Checkpoint Secureplatform Enforcement Module running NG-AI R55 with HFA 04. Network A, B and C is on eth1, eth2 and eth3 of the Enforcement Module, respectively. Machines on Network A are assigned "static" IPs while machines on Network B and Network C use dynamic IP (aka DHCP).


I have a linux DHCP server running on Network A, serving dynamic IPs addresses for Network B and Network C. I followed


Checkpoint document by doing the following:


1) create a host object 0.0.0.0,


2) create a host object 255.255.255.255


3) create network object 172.16.1.0/24, 172.17.1.0/24 and 172.18.1.0/24


4) create a group-object NetworkA, NetworkB and NetworkC. In each of the group object, I include the appropriate network and the host 0.0.0.0 and 255.255.255 objects,


5) under the interface "topology" tab, I define the anti-spoofing appropriately with the above "group-object" for the appropriate interfaces,


6) create a rule as follow: source = any, destination = any, permit = boot, dhcp-req-module, dhcp-rep-module, action=permit,


7) push the policy,


In the log, I can see that the firewall is accepting bootp (udp port 67) but machines on network B and network C can not get IP from the linux DHCP server on Network A.


Now before, you guys tell me that there must be something wrong with my Linux DHCP server, let me just say that if I take out the Checkpoint Secureplatform and replace it with a Cisco Pix firewall, it works fine. The pix firewall can act as a DHCP relay via the command "dhcprelay enable xxxx".


My question is this: do I need to enable dhcprelay on the Secureplatform Enforcement module in order for what I need to accomplish to work? When I do a "rpm -qa | grep dhcp" on the Secureplatform enforcement module, I do see a dhcp package. Or to simply put, how can I make machines on network B and Network C get IPs from the DHCP server which


resides on network A? Furthermore, do I need to setup dhcp "relay" on the Secureplatform box? If so, how?


Thanks guys.


 


 


 


 


 


 

__________________
raulico


Status: Offline
Posts: 61
Date:
Permalink  

Hi CCse, sorry but i don't know your name,


on secure-plat go on expert mode and type sysconfig->8(dhcp_relay), and choose your config,


i've never used, so if u want i can test it.


ciao


Raoul Ferro



__________________
Page 1 of 1  sorted by
 
Quick Reply

Please log in to post quick replies.
FireWall-1 Gurus Forum -> FireWall-1 Gurus Forum -> Secureplatform NG-AI R55 and DHCP relay
Tweet this page Post to Digg Post to Del.icio.us


Create your own FREE Forum
Report Abuse 		Powered by ActiveBoard