topic Re: ISP ClusterXL connection in General Topics

ISP ClusterXL connection

Oryx — Sun, 22 Sep 2024 11:26:28 GMT

Hi all,

I've a problem to solve that is turning my head around for the last couple of weeks. Maye someone have a simple solution for this, since I've tried some different approaches but none has worked as expected.

So, basically I've a couple of 9100 boxes in ClusterXL that I need to connect to the ISP in a particular customer. The ISP connection is delivered through a media coverter and an optional router. Logically, the ISP uses a network in the Carrier Grade NAT space (100.64.x.y/30) and the deliver a public network A.B.C.D/29 through that CGNAT.

Right now we have the optional Router receiving the CGNAT network and then Public Network delivered to the ClusterXL through a Private network (192.168.255.0/24). I would like to remove the Router, since it's a single device (lacks redundancy) and it's not quite entrerprise material (lacks performance). I was able to easily remove the router and use the CGNAT network on the ClusterXL. The problem is that the IP on the CGNAT network used on ClusterXL side does not have Internet, which is a big problem, since the Gateways need to connect to the Internet to update IPS, App Control, etc. Also, the Management is a Smart-1 Cloud license :).

So, anyone has had some kind of a related issue? Am I able to remove the router? Or I'm destined to use the router?

Any help is much appreciated on this. I've uploaded a simple network diagram to ilustrate the network topology.

Kind regards.

Re: ISP ClusterXL connection

the_rock — Sun, 22 Sep 2024 14:22:09 GMT

Just an idea/suggestion...kind of "pondering" here lol. If you say that IP does not have Internet access, can it be NAT-ed to something that does?

Andy

Re: ISP ClusterXL connection

AkosBakos — Sun, 22 Sep 2024 16:02:13 GMT

Hi @Oryx

Nice scenario. 🙂

For the first sight, maybe do you have the opportunity to configure an existing proxy on the gateways? That would be a great workaround.

Maybe?

Akos

Re: ISP ClusterXL connection

the_rock — Sun, 22 Sep 2024 16:04:12 GMT

Great idea @AkosBakos

Re: ISP ClusterXL connection

AkosBakos — Sun, 22 Sep 2024 16:15:30 GMT

Thanks, this (proxy) saved my life last time 🙂

Re: ISP ClusterXL connection

Oryx — Sun, 22 Sep 2024 16:24:38 GMT

Hi,

The ISP route to the CGNAT IP on the customer side a /29 Public Network with Internet access. I'm able to NAT traffic transversing my Cluster behind those IPs, but I'm not able to NAT self generated traffic on my gateways, since the VIP of the external interface is the CGNAT IP on customer side. I feel that I'm stuck with the sh**ty router.

Re: ISP ClusterXL connection

the_rock — Sun, 22 Sep 2024 16:28:30 GMT

I hear ya, sorry brother...its sadly catch 22 situation.

Andy

Re: ISP ClusterXL connection

Oryx — Sun, 22 Sep 2024 16:32:23 GMT

Hi,

That have crossed my mind. However, one of the purposes for this new cluster is to remove from the network an old machine running an old version of Squid. I kinda feel a little bit stupid asking the customer to keep the Squid so the Firewalls can have Internet to keep the services up to date and to connect to the Smart-1 Cloud.

Re: ISP ClusterXL connection

AkosBakos — Sun, 22 Sep 2024 16:49:57 GMT

This is really a catch 22. Install a Cloudguard GW for proxy 🙂

Re: ISP ClusterXL connection

the_rock — Sun, 22 Sep 2024 17:03:34 GMT

Well, I think whole issue here is how to get an actual IP that can connect to an external world...

Re: ISP ClusterXL connection

PhoneBoy — Mon, 23 Sep 2024 13:47:20 GMT

With the router in place, what IPs are configured on the external interfaces of the cluster members?
When you try to eliminate the router, what IPs do you use for the gateways?

I suspect the router is doing some sort of NAT.

Re: ISP ClusterXL connection

Oryx — Mon, 23 Sep 2024 14:13:06 GMT

Hi,

When we use the router in place we use a network(192.168.255.0/24) dedicated to connect the router to the Firewalls. The router is the 192.168.255.1 and we have the .251 on FW1, .252 on FW2 and the .254 on the Custer IP VIP.

When we don't have the router, we need to use the CGNAT network to connect to the ISP, which is a /30 network. So, we use a "dummy" network for the physical IPs on the gateways and the IP on the CGNAT network as the Cluster IP, with the proper link local route to have connectivity with the ISP.

And yes, the router is doing NAT when it is in place. The problem is that the CGNAT network does not have Internet, so when we configure that network directly on the Cluster, the Firewalls don't have access to the Internet, since all the traffic generated by the gateways are NATed behind the Cluster IP of the External Interface.

Kind regards

Re: ISP ClusterXL connection

Oryx — Mon, 23 Sep 2024 14:13:30 GMT

Yep, that is the issue.

Regards

Re: ISP ClusterXL connection

the_rock — Mon, 23 Sep 2024 14:16:02 GMT

Since Im not even 5% genius compared to @AkosBakos and @PhoneBoy , lets see if they have any other ideas. Im just giving my suggestions based on what you are providing here. To me, again, just based on pure logic, unless there is a way to get NAT working to get the routable IP, not sure what else can be done...

Andy

Re: ISP ClusterXL connection

Oryx — Mon, 23 Sep 2024 14:17:51 GMT

Yup, that's it. I'm also out of ideas now. 🙂

Regards

Re: ISP ClusterXL connection

the_rock — Mon, 23 Sep 2024 14:19:13 GMT

Dont lose hope, Im hopeful someone will have a "light bulb moment" 🙂

Andy

Re: ISP ClusterXL connection

PhoneBoy — Mon, 23 Sep 2024 19:00:47 GMT

I assume the /30 is on the far side of the router.
That means you only have one valid IP address (assuming the other end is your ISP Default Route).
That means you need to need to use that other IP for your Cluster IP using something like: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_ClusterXL_AdminGuide/Content/Topics-CXLG/Cluster-IP-addresses-on-different-subnets.htm

Note that only the active cluster member will be able to reach the Internet directly with this configuration.

Re: ISP ClusterXL connection

Oryx — Tue, 24 Sep 2024 09:04:20 GMT

Hi,

Sorry, maybe I was not clear. I'm aware of the feature "Cluster IP Addresses on Different Subnets", in fact I've used to configure the /30 on my side. The problem is that the /30 CGNAT network don't have access to the Internet. So, the cluster IP don't have access to the Internet. And that is my issue. The ISP routes a /29 public network to the customer side through the /30, but as far as I know, I cannot NAT the self generated traffic behind that routed network.

Regards

Re: ISP ClusterXL connection

Timothy_Hall — Tue, 24 Sep 2024 13:53:47 GMT

> but as far as I know, I cannot NAT the self generated traffic behind that routed network.

Actually you can but cluster hide/fold which is enabled by default will interfere with your attempts to do so with a rule 0 NAT that takes precedence: sk34180: Outgoing connections from cluster members are sent with cluster Virtual IP address instead of member's Physical IP address

So you'll need to disable cluster hide/fold. This will cause the two members to use their dedicated/fixed CGNAT addresses to initiate connections to the Internet. Now you need to add two manual NAT rules at the top like this, making sure that ExternalZone is properly associated with the outside interface:

CGNAT Member 1 Ext CGNAT IP ExternalZone Original /29_Addr_1 (Hide) Original Original Member1

CGNAT Member 2 Ext CGNAT IP ExternalZone Original /29_Addr_2 (Hide) Original Original Member2

It is possible to NAT firewall-initiated traffic because source NAT happens on the server side between o and O. It is not possible to NAT the destination IP of firewall-initiated traffic as that happens on client side between i and I. You might be able to get away with using a single /29 Internet-routable address for both members as the hide but try using two separate ones first.

Re: ISP ClusterXL connection

Oryx — Tue, 24 Sep 2024 14:02:23 GMT

Hi Timothy,

I had a kind of supect that something like that was possible to do. It's Check Point, so everything is possible :D. And it seems at least a possibility to proceed.

I just have a little problem scratching my head with that solution. My Management is a Smart-1 Cloud. So, when I make those changes and push the policy to the gateway. Don't you think that I can have a little problem in the middle of the Installation. Do you think that the install will go until de end? Or it will fail because somewhere it that install it will loose access to the Internet?

Kind Regards.