My company currently has an older Checkpoint firewall that is servicing our current ISP. We are transitioning to a new ISP and at the same time changing over to a Sophos UTM.
I wanted to be able to test my firewall and NAT rules prior to changing our DNS records with our domain registrar. I had the idea we should be able to just enter the new ISP's IP address for a particular service that I have NATed, Outlook Web Access for example, into a browser that's attached to a 3rd ISP (i.e. use a laptop connected to a Verizon Mifi card) and this should allow me to confirm that my Sophos rules are working and I can access the Outlook Web Access using the new ISP via Sophos.
This was not working. I could see in the Firewall live log that the SYN request was coming in, but no connection was ever made to the outlook web service.
Then it hit me that what's probably happening is the SYN request comes in fine via the new ISP and Sophos, but when the packet reaches my outlook web server, the SYN ACK is being sent back via our LAN's default route, which is taking that packet back out via the Checkpoint router, which probably drops it.
Can someone let me know if my reasoning is correct as to what may be happening?
Also given two firewalls and 2 ISP's, is there any way to test this without temporarily changing our LAN's default route to point to the Sophos?
Thanks for any thoughts.
Andy
This thread was automatically locked due to age.