This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
kamaladmire1
Contributor
Contributor
Tuesday

BGP Routes not Advertise

HI All, 

I am having issues with route advertisement in BGP ( between Check Points). 

Site to Site VPN between firewalls

Tunnels UP and can ping ip-addresses behind the firewall via tunnel interface IP

can ping tunnel interface from all three gateways. 

all 3 single gateways. 

Prefix-list and Routemaps used but not seeing routes being advertise on any 3 checkpoints firewalls. 

However, if I use interface route-redistribution it works.

 

Version: R81.20

Jumbo T120

Appliance: VMWare

Management same version as firewalls.

Please see the attached configuration and help to identify the issue.

For information I have also tried used nat-pool with no joy, here is the nat-pool config I used as an example, 

 

GW1

set nat-pool 10.153.255.0/24 on
set nat-pool 20.20.10.0/24 on
set nat-pool 20.20.11.0/24 on
set nat-pool 20.20.12.0/24 on

set route-redistribution to bgp-as 65000 from nat-pool 10.153.255.0/24 on
set route-redistribution to bgp-as 65000 from nat-pool 20.20.10.0/24 on
set route-redistribution to bgp-as 65000 from nat-pool 20.20.11.0/24 on
set route-redistribution to bgp-as 65000 from nat-pool 20.20.12.0/24 on

set route-redistribution to bgp-as 65050 from nat-pool 10.153.255.0/24 on
set route-redistribution to bgp-as 65050 from nat-pool 20.20.10.0/24 on
set route-redistribution to bgp-as 65050 from nat-pool 20.20.11.0/24 on
set route-redistribution to bgp-as 65050 from nat-pool 20.20.12.0/24 on

 

GW2

set nat-pool 10.152.255.0/24 on
set nat-pool 30.30.10.0/24 on
set nat-pool 30.30.11.0/24 on
set nat-pool 30.30.12.0/24 on

 

set route-redistribution to bgp-as 65001 from nat-pool 10.152.255.0/24 on
set route-redistribution to bgp-as 65001 from nat-pool 30.30.10.0/24 on
set route-redistribution to bgp-as 65001 from nat-pool 30.30.11.0/24 on
set route-redistribution to bgp-as 65001 from nat-pool 30.30.12.0/24 on

set route-redistribution to bgp-as 65050 from nat-pool 10.152.255.0/24 on
set route-redistribution to bgp-as 65050 from nat-pool 30.30.10.0/24 on
set route-redistribution to bgp-as 65050 from nat-pool 30.30.11.0/24 on
set route-redistribution to bgp-as 65050 from nat-pool 30.30.12.0/24 on

 

GW3

set nat-pool 10.10.10.0/24 on
set nat-pool 10.10.11.0/24 on
set nat-pool 10.10.12.0/24 on
set nat-pool 10.200.0.0/16 on

et route-redistribution to bgp-as 65000 from nat-pool 10.10.10.0/24 on
set route-redistribution to bgp-as 65000 from nat-pool 10.10.11.0/24 on
set route-redistribution to bgp-as 65000 from nat-pool 10.10.12.0/24 on
set route-redistribution to bgp-as 65000 from nat-pool 10.200.0.0/16 on


set route-redistribution to bgp-as 65001 from nat-pool 10.10.10.0/24 on
set route-redistribution to bgp-as 65001 from nat-pool 10.10.11.0/24 on
set route-redistribution to bgp-as 65001 from nat-pool 10.10.12.0/24 on
set route-redistribution to bgp-as 65001 from nat-pool 10.200.0.0/16 on

 

Note: NAT-Pool did not help so I have removed from the configuration attached.

 

 

 

 

 

GW-2.txt
GW-1.txt
GW-3.txt
0 Kudos
10 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
Tuesday

What is the origin of your routes?

Your match protocol for outbound route-map might be a conflict...

CCSM R77/R80/ELITE
0 Kudos
kamaladmire1
Contributor
Contributor
Tuesday
In response to Chris_Atkinson

Hi Chris, 

The routes advertised are directly connected. ( in my attachments if have supplied fw getifs output) 

I can try to remove the match protocol from the outbound route-map!

 

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
Tuesday
In response to kamaladmire1

Please let us know if that solved the issue, but likely it will be needed in addition to the correct form of redistribution.

We don't have a "network" statement under the BGP process like in Cisco...

CCSM R77/R80/ELITE
0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
Tuesday

Just looking at your GW2 config, the LOCAL-OUT routemap 'match protocol' statement is set to BGP. These local routes are not coming from BGP, so this routemap won't match anything. You should remove this match statement. 

kamaladmire1
Contributor
Contributor
yesterday
In response to emmap

Thanks all for your response. @Chris_Atkinson @emmap 

I have now remove the match protocol statement from all three gateways where used under export-routemap. 

I have added statement match protocol on all three for import-route map 

try run restart bgp all 

BGP established but no routes being advertise???

 

 

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
yesterday
In response to kamaladmire1

Do you have route redistribution configured after you removed the NAT pools or no?

CCSM R77/R80/ELITE
0 Kudos
kamaladmire1
Contributor
Contributor
yesterday
In response to Chris_Atkinson

Hi, 

No route resdistribution, however If I remove prefix-list and just used redistribution it works.

I need to work with prefix-list

please see the attached current config

GW-3.txt
GW-1.txt
GW-2.txt
0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
yesterday
In response to kamaladmire1

Did you already try "match protocol direct" for the export routemap?

CCSM R77/R80/ELITE
0 Kudos
kamaladmire1
Contributor
Contributor
yesterday
In response to Chris_Atkinson

Thanks Chris, 

Indeed, this trick works, and I can see the routes on other firewalls and only routes being advertised used in the Prefix list not all directly connected..That's great

Thanks for your help.

I have attached full config of all three, just to help anyone looking this thread and find helpful with full configuration, as I was struggling to find config of both ends. 

Here is the final config or all three working firewalls.

 

GW-1.txt
GW-3.txt
GW-2.txt
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
yesterday
In response to kamaladmire1

No worries - Glad that it's all working now 🙂

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events