topic Re: BGP address used on partner network in Firewall and Security Management

BGP address used on partner network

Lars_de_Mooy — Wed, 25 Sep 2024 12:56:52 GMT

Hi all,

We have some question about BGP and the (HideNAT ?) address we are using when we access the network behind the BGP routers of the partner.

We have a BGP configuration. we have Datacenter A and Datacenter B. In Datacetnter A we have one checkpoint cluster node. In Datacenter B we have one checkpoint cluster node. In both datacenters we have a BGP router from an external partner. Two checkpoint interfaces and two BGP peer interfaces are in samen vlan. vlans are all transported over sitelink interconnect The two checkpoint interfaces used for the BGP are having a cluster address. This address is used in a hide nat rule so we access the partner network with this address.

The partner wants us to use a diferent address then the cluster address and a address that is not directly attached to the cluster. We are ordered not to use any address that is used to setup the BGP sessions. We need to advertise this address to the partner so BGP knows where the traffic needs to be delivered. Can someone please have a look at the visio we dont know how we can use the given network address to acces the partners network. Normally we use the cluster address for this but as we now learned BGP need a diferent configuration. I hope someone can help us out.

I now notice that the question could be made some more clear bij adding this comment.

What we want to achieve is that we use 10.20.50.14/31 as the source when we access the partner network behind the BGP.

We want to advertise 10.20.50.14/31 to the partner so that it knows this route leads to our environment.

We are now using 10.20.30.51 in a hide nat rule, this is working, but not desired because it can break the BGP. How its done now works because the routers are on the same subnet and use arp and not the BGP route i advertise...

Re: BGP address used on partner network

Chris_Atkinson — Wed, 25 Sep 2024 13:19:32 GMT

There is a feature that we call NAT pools that will help with this if I understand your requirements.

The remainder is standard BGP and NAT config, please review the above and advise which part if any you are stuck with from there?

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_Gaia_Advanced_Routing_AdminGuide/Topics-GARG/NAT-Pools.htm

Re: BGP address used on partner network

Lars_de_Mooy — Wed, 25 Sep 2024 13:48:26 GMT

Hi Chris, thanks i think this could be what i need.

Can you please advice on what to do next, i assume i need to do this on both members;

Create the natpool on both members 10.20.50.14/31.

Then advanced routing -> route redistribution -> add redistribution from "nat pool" in the to protocol field "BGP AS AS4200030961"

and Then advanced routing -> route redistribution -> add redistribution from "nat pool" in the to protocol field "BGP AS AS4200030962"

this is how i advertise my natpool to the bgp peers ?

I dont understand how the traffic from the partner knows what to do with the traffic sended to the natpool.

This traffic is not part of any of the interfaces ?

Do i still need a hide nat rule and hide my outbound traffic behind the natpool address ?

Re: BGP address used on partner network

Chris_Atkinson — Wed, 25 Sep 2024 13:57:42 GMT

Yes you still need NAT rules for the address you want the traffic to appear from.

The NAT pool itself simply provides a mechanism to have these addresses participate in routing protocol advertisements.

Re: BGP address used on partner network

Lars_de_Mooy — Thu, 26 Sep 2024 16:55:35 GMT

Hi all is working now, except for one small issue.

The juniper routers that we have the BGP sessions with are not updating the MAC addresses quick enough on cluster failover.

Is there any way to use a VMAC only on only one interface or something like that ?

I see the option in my cluster to enable VMAC but i am a bit worried to use this option and it may cause network outage because my whole cluster uses a VMAC all of a sudden ....

Hope to hear back from you thanks in advance.