Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
israelsc
Collaborator
Collaborator
Jump to solution

Questions about redistribute routes to remote AS with BGP

Hello everyone,
I created this post to ask for your help with some doubts I have for BGP and how to redistribute routes to a remote AS.

I have a scenario on GNS3 server:

Check Point Firewall R81.20 JHF 89 (represented as “Cloud” node)
-eth0 192.168.5.130
-eth1 10.1.0.130
-eth2 192.168.70.130
[Autonomous System 1]

Router 1 (c3600):
-fa0/0 192.168.5.131
-fa0/1 10.50.50.1
-loopback 1.1.1.1.1
[Autonomous system 10]

Router 2 (c3600):
-fa0/0 10.50.50.2
-loopback 2.2.2.2.2
[Autonomous system 20]
lab.png

R1 and R2 advertise and redistribute their directly connected networks (10.50.50.0/24 and their loopback).
This is what Check Point receives through BGP.

This is the R1 routing table:
r1.png

This is the R2 routing table:
r2.png

This is the FW routing table:
FW.png


However, the question is:
*How do I advertise and redistribute  the networks that Check Point knows throught static routes or the networks that Check Point has directly connected to router 1 and router 2?
*Is it a routemap that is needed?

We have been reviewing the documentation but it does not explain in a clear way, how to make Check Point advertise and redistribute networks to the BGP remote AS:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Gaia_Advanced_Routing_AdminGuide/T...

https://support.checkpoint.com/results/sk/sk100501

This is the BGP configuration we currently have for check point:
> set as 1
> set bgp external remote-as 10 on
> set bgp external remote-as 10 peer 192.168.5.131 on
> set bgp external remote-as 10 peer 192.168.5.131 accept-routes all

We want to know how to do this before the next step: replicate the lab configuration in the customer environment.

In the customer environment
They have an azure HA cluster on the same version R81.20 JHF 89, and have BGP peer with some Cisco Routers on Azure.

For this environment we have another question:
*How do we advertise and redistribute the office mode VPN c2s network on the Check Point HA cluster in Azure for the BGP?

I hope I have explained myself with these details and if not, I will be glad to complement the information.

Greetings to all!

 

0 Kudos
1 Solution

Accepted Solutions
JozkoMrkvicka
Authority
Authority

Yes, routemaps are best to use in this case.

set nat-pool <office mode VPN c2s network/netmask> on

set routemap DirectStaticNATPool id 100 on

set routemap DirectStaticNATPool id 100 allow

set routemap DirectStaticNATPool id 100 match protocol direct

set routemap DirectStaticNATPool id 200 on

set routemap DirectStaticNATPool id 200 allow

set routemap DirectStaticNATPool id 200 match protocol static

set routemap DirectStaticNATPool id 300 on

set routemap DirectStaticNATPool id 300 allow

set routemap DirectStaticNATPool id 300 match protocol nat-pool

set bgp external remote-as 10 export-routemap DirectStaticNATPool preference 1 on

Kind regards,
Jozko Mrkvicka

View solution in original post

5 Replies
Chris_Atkinson
Employee Employee
Employee

Route-maps with the appropriate match protocol statement and other relevant criteria will be needed.

Configure NAT pools to address the office mode bit which can also be used in the route-map matching logic e.g.

match protocol.jpg

CCSM R77/R80/ELITE
0 Kudos
JozkoMrkvicka
Authority
Authority

Yes, routemaps are best to use in this case.

set nat-pool <office mode VPN c2s network/netmask> on

set routemap DirectStaticNATPool id 100 on

set routemap DirectStaticNATPool id 100 allow

set routemap DirectStaticNATPool id 100 match protocol direct

set routemap DirectStaticNATPool id 200 on

set routemap DirectStaticNATPool id 200 allow

set routemap DirectStaticNATPool id 200 match protocol static

set routemap DirectStaticNATPool id 300 on

set routemap DirectStaticNATPool id 300 allow

set routemap DirectStaticNATPool id 300 match protocol nat-pool

set bgp external remote-as 10 export-routemap DirectStaticNATPool preference 1 on

Kind regards,
Jozko Mrkvicka
israelsc
Collaborator
Collaborator

Excellent, this worked for us!
thanks for your help

We configure the network 10.0.0.0.0/20 as the office mode network for the nat-pool, create the routemap to export static, direct and nat-pool routes and use the routemap to export those routes to the BGP:

set nat-pool 10.0.0.0/20 on

set routemap RM_exp_rts id 100 on
set routemap RM_exp_rts id 100 allow
set routemap RM_exp_rts id 100 match protocol direct

set routemap RM_exp_rts id 200 on
set routemap RM_exp_rts id 200 allow
set routemap RM_exp_rts id 200 match protocol static

set routemap RM_exp_rts id 300 on
set routemap RM_exp_rts id 300 allow
set routemap RM_exp_rts id 300 match protocol nat-pool

set bgp external remote-as 10 export-routemap RM_exp_rts preference 1 on


bgp config.png

With this configuration in the firewall, we see that these routes are already being advertised and injected to the Route Table of R1 and R2:
r1 rt.pngr2 rt.png

This is fine, it is what we expect.

However, we see that the firewall advertises all its static routes, including the firewall default route:

default rt.png

How do we prevent this firewall default route from being advertised to the BGP?
Is it possible to make an exclusion for this static route?

Greetings!

0 Kudos
JozkoMrkvicka
Authority
Authority

set routemap RM_exp_rts id 200 match nexthop <IP_of_nexthop> on

This will cause only static routes pointing to <IP_of_nexthop> will be advertised.

It is not ideal solution since once new route with different nexthop is added, you need to add new routemap statement.

Better way is to restrict specific routes from propagation (0.0.0.0/0). You will need to create routemap with ID lower than 200 with action restrict:

set routemap RM_exp_rts id 199 on

set routemap RM_exp_rts id 199 restrict

set routemap RM_exp_rts id 199 match network 0.0.0.0/0 exact all

set routemap RM_exp_rts id 199 match protocol static

Kind regards,
Jozko Mrkvicka
israelsc
Collaborator
Collaborator

Hello @JozkoMrkvicka 
Great! it helped me to restrict 0.0.0.0.0
Just a correction in the command:

-instead:
set routemap RM_exp_rts id 199 match network 0.0.0.0.0/0 exact all

-place:
set routemap RM_exp_rts id 199 match network 0.0.0.0.0/0 exact

After this, notice immediately on R1 and R2, that the default route 0.0.0.0.0 is no longer propagated to BGP on the other routers.restrict default.png

Thank you for your help!

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.