Please try to stick with me over this, its complicated and I've inherited it. Its been driving me crazy for a few days now so here goes (I think this is all the info)
My company has a public IP range of 194.xxx.xxx.32 - 63
We have a Checkpoint R65 with 5 interfaces as below
LAN - 172.16.5.100 - LAN Core Switch
DMZ - 192.168.1.254 - DMZ Switch
3rd Party Site - 172.20.16.14 - Switch and then WAN out
External (Heres where the fun starts!) - 194.xxx.xxx.32 - 47 --> To ISP router
No NAT DMZ - 194.xxx.xxx.49 - 55 --> To a VLAN on a switch.
The last two interfaces have been subnetted as /28 and /29 respectively
We have Internet facing services on .57 and .58 that are reachable despite not falling into any of the subnets defined on the bottom interfaces!?
Anyway, we have a need to allow a LAN server on 5.153 talk to an environment on 172.20.1.0/24. At present, this works via a route on the Firewall from the 172.20.16.14 address via 172.20.16.3 which is connected directly via a transit network (invisible to us @ Layer 3) to the 172.20.1.0/24
I need to use the interface that this uses so I have configured a VLAN on a (Layer-3 HP) switch (172.16.5.29) and given my server that as its default gateway. The VLAN mirrors the Firewall config in that its IP address is 172.20.16.14 with the correct gateway and a route exists on the switch for 172.20.1.0/24 via 172.20.16.3. The switch can see a device at 172.20.1.1 (via ping) but my server can't ping out to it.
All the 172 addresses are /24 networks with Inter VLAN routing on switches where appropriate.
I'm sure i've missed something simple but I'd really like somebody objective to throw some ideas in - also , any Checkpoint people - can you suggest why the services on the .57 and .58 WAN addresses are reachable?