MagicMan Posted November 20, 2012 Share Posted November 20, 2012 Hi all Please try to stick with me over this, its complicated and I've inherited it. Its been driving me crazy for a few days now so here goes (I think this is all the info) My company has a public IP range of 194.xxx.xxx.32 - 63 We have a Checkpoint R65 with 5 interfaces as below LAN - 172.16.5.100 - LAN Core Switch DMZ - 192.168.1.254 - DMZ Switch 3rd Party Site - 172.20.16.14 - Switch and then WAN out External (Heres where the fun starts!) - 194.xxx.xxx.32 - 47 --> To ISP router No NAT DMZ - 194.xxx.xxx.49 - 55 --> To a VLAN on a switch. The last two interfaces have been subnetted as /28 and /29 respectively We have Internet facing services on .57 and .58 that are reachable despite not falling into any of the subnets defined on the bottom interfaces!? Anyway, we have a need to allow a LAN server on 5.153 talk to an environment on 172.20.1.0/24. At present, this works via a route on the Firewall from the 172.20.16.14 address via 172.20.16.3 which is connected directly via a transit network (invisible to us @ Layer 3) to the 172.20.1.0/24 I need to use the interface that this uses so I have configured a VLAN on a (Layer-3 HP) switch (172.16.5.29) and given my server that as its default gateway. The VLAN mirrors the Firewall config in that its IP address is 172.20.16.14 with the correct gateway and a route exists on the switch for 172.20.1.0/24 via 172.20.16.3. The switch can see a device at 172.20.1.1 (via ping) but my server can't ping out to it. All the 172 addresses are /24 networks with Inter VLAN routing on switches where appropriate. I'm sure i've missed something simple but I'd really like somebody objective to throw some ideas in - also , any Checkpoint people - can you suggest why the services on the .57 and .58 WAN addresses are reachable? Thanks Link to comment Share on other sites More sharing options...
sc302 Veteran Posted November 20, 2012 Veteran Share Posted November 20, 2012 it looks as if you are missing a route on your layer 3 switch. It sounds like you have multiple layer3's there and routing on one switch isn't pointing to the other switch to enable communication. Basically switch a doesn't know that switch b has x subnet. Link to comment Share on other sites More sharing options...
MagicMan Posted November 21, 2012 Author Share Posted November 21, 2012 Thanks for the reply - I believe that is the case. All the switches are HP Procurves and the switch that has the 172.20.16.14 address (and also lives on an address on our LAN) has a route set up but the "IP Routing" command doesn't appear in the config so the switch is only operating at Layer 2 and thus can't route At least, I hope that's the case! I'll find out later today when I get chance to test Link to comment Share on other sites More sharing options...
Recommended Posts