This website uses cookies. By browsing this website, you consent to the use of cookies. Learn more.
OK
ABOUT CHECKMATES & FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Help
Everest_Aponte
Everest_Aponte
Ivory
‎2019-10-31 12:06 PM

Announce networks behind remote peer VPN to Virtual Network Gateway. Azure

Jump to solution

Hello Everybody

I have the following request,

We have an environment on Azure (R80.20 Cluster) and access to On-premises networks through ExpressRoute. We' configuring a tunnel VPN using VTIs with 3rd Party (Cisco). So,  I would like to know if possible to announce the networks behind remote peer VPN, for example (10.236.150.128/27) on my virtual network gateway in order to announce it on the BGP to on-premises networks.  

Thank you so much for your attention and comments

Best regards

Everest

 

0 Kudos
Reply
1 Solution

Accepted Solutions
Matthias_Haas
Matthias_Haas
Copper
‎2019-11-03 11:26 PM

Re: Announce networks behind remote peer VPN to Virtual Network Gateway. Azure

Jump to solution

Hi Everest,

I am not sure if this is working and I can not test it in my Azure environment as I do not have a ER running, but may be it´s worth trying:

You could add the remote peer network as additional Address space on the VNET, where your Checkpoint GW is  deployed:

Unbenannt.png

This should cause BGP to propagate that network to OnPrem.

In addition you may have to modify your UDRs, so that the remote peer network is actually routed to the Checkpoint GW (you should already have such UDRs I guess)

 

Matthias

 

View solution in original post

Reply
3 Replies
Tommy_Forrest
Tommy_Forrest
Silver
‎2019-11-01 06:34 AM

Re: Announce networks behind remote peer VPN to Virtual Network Gateway. Azure

Jump to solution

Are you aiming to have a IPSEC tunnel across Express Route?

Or are you trying to stand up a tunnel across the internet to your CloudGuard gateways for backup?

Or are you trying to stand up tunnels to your CloudGuard gateways from external internet peers and you need internal resources to go across ER to your CloudGuard gateway and then out to the internet?

0 Kudos
Reply
Everest_Aponte
Everest_Aponte
Ivory
‎2019-11-01 11:36 AM

Re: Announce networks behind remote peer VPN to Virtual Network Gateway. Azure

Jump to solution

Hello Tommy

Thanks for your contact

Basically, We're configuring a Site to Site VPN with a Customer. 

                                                            Site to Site VPN based VTIs

Peer Remote (Customer) ------------INTERNET --------------- Peer CheckPoint on AZURE 

                                                           Enviroment Azure

Peer CheckPoint on AZURE --------------ER-------------- ON-Premises 

 

Network Remote Peer: 10.236.150.128/29 

Network Peer CheckPoint on Azure: 10.236.1.0/24

Network ON Premises: 10.0.0.0/8 

The flow of Traffic: Bidirectional between 10.236.150.128/29 (remote peer network) and 10.0.0.0/8 (OnPremises network) 

 

Yes, This traffic has to go across the Express Route, We need to announce these VPNs networks so that Virtual Gateway.  

Thank you so much

 

Everest

 

 

 

0 Kudos
Reply
Matthias_Haas
Matthias_Haas
Copper
‎2019-11-03 11:26 PM

Re: Announce networks behind remote peer VPN to Virtual Network Gateway. Azure

Jump to solution

Hi Everest,

I am not sure if this is working and I can not test it in my Azure environment as I do not have a ER running, but may be it´s worth trying:

You could add the remote peer network as additional Address space on the VNET, where your Checkpoint GW is  deployed:

Unbenannt.png

This should cause BGP to propagate that network to OnPrem.

In addition you may have to modify your UDRs, so that the remote peer network is actually routed to the Checkpoint GW (you should already have such UDRs I guess)

 

Matthias

 

View solution in original post

Reply