- CheckMates
- :
- Products
- :
- General Topics
- :
- Re: ISP ClusterXL connection
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ISP ClusterXL connection
Hi all,
I've a problem to solve that is turning my head around for the last couple of weeks. Maye someone have a simple solution for this, since I've tried some different approaches but none has worked as expected.
So, basically I've a couple of 9100 boxes in ClusterXL that I need to connect to the ISP in a particular customer. The ISP connection is delivered through a media coverter and an optional router. Logically, the ISP uses a network in the Carrier Grade NAT space (100.64.x.y/30) and the deliver a public network A.B.C.D/29 through that CGNAT.
Right now we have the optional Router receiving the CGNAT network and then Public Network delivered to the ClusterXL through a Private network (192.168.255.0/24). I would like to remove the Router, since it's a single device (lacks redundancy) and it's not quite entrerprise material (lacks performance). I was able to easily remove the router and use the CGNAT network on the ClusterXL. The problem is that the IP on the CGNAT network used on ClusterXL side does not have Internet, which is a big problem, since the Gateways need to connect to the Internet to update IPS, App Control, etc. Also, the Management is a Smart-1 Cloud license :).
So, anyone has had some kind of a related issue? Am I able to remove the router? Or I'm destined to use the router?
Any help is much appreciated on this. I've uploaded a simple network diagram to ilustrate the network topology.
Kind regards.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just an idea/suggestion...kind of "pondering" here lol. If you say that IP does not have Internet access, can it be NAT-ed to something that does?
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The ISP route to the CGNAT IP on the customer side a /29 Public Network with Internet access. I'm able to NAT traffic transversing my Cluster behind those IPs, but I'm not able to NAT self generated traffic on my gateways, since the VIP of the external interface is the CGNAT IP on customer side. I feel that I'm stuck with the sh**ty router.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I hear ya, sorry brother...its sadly catch 22 situation.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @orion_son30
Nice scenario. 🙂
For the first sight, maybe do you have the opportunity to configure an existing proxy on the gateways? That would be a great workaround.
Maybe?
Akos
\m/_(>_<)_\m/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great idea @AkosBakos
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, this (proxy) saved my life last time 🙂
\m/_(>_<)_\m/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
That have crossed my mind. However, one of the purposes for this new cluster is to remove from the network an old machine running an old version of Squid. I kinda feel a little bit stupid asking the customer to keep the Squid so the Firewalls can have Internet to keep the services up to date and to connect to the Smart-1 Cloud.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is really a catch 22. Install a Cloudguard GW for proxy 🙂
\m/_(>_<)_\m/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, I think whole issue here is how to get an actual IP that can connect to an external world...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yep, that is the issue.
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since Im not even 5% genius compared to @AkosBakos and @PhoneBoy , lets see if they have any other ideas. Im just giving my suggestions based on what you are providing here. To me, again, just based on pure logic, unless there is a way to get NAT working to get the routable IP, not sure what else can be done...
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yup, that's it. I'm also out of ideas now. 🙂
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dont lose hope, Im hopeful someone will have a "light bulb moment" 🙂
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With the router in place, what IPs are configured on the external interfaces of the cluster members?
When you try to eliminate the router, what IPs do you use for the gateways?
I suspect the router is doing some sort of NAT.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
When we use the router in place we use a network(192.168.255.0/24) dedicated to connect the router to the Firewalls. The router is the 192.168.255.1 and we have the .251 on FW1, .252 on FW2 and the .254 on the Custer IP VIP.
When we don't have the router, we need to use the CGNAT network to connect to the ISP, which is a /30 network. So, we use a "dummy" network for the physical IPs on the gateways and the IP on the CGNAT network as the Cluster IP, with the proper link local route to have connectivity with the ISP.
And yes, the router is doing NAT when it is in place. The problem is that the CGNAT network does not have Internet, so when we configure that network directly on the Cluster, the Firewalls don't have access to the Internet, since all the traffic generated by the gateways are NATed behind the Cluster IP of the External Interface.
Kind regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I assume the /30 is on the far side of the router.
That means you only have one valid IP address (assuming the other end is your ISP Default Route).
That means you need to need to use that other IP for your Cluster IP using something like: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_ClusterXL_AdminGuide/Content...
Note that only the active cluster member will be able to reach the Internet directly with this configuration.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Sorry, maybe I was not clear. I'm aware of the feature "Cluster IP Addresses on Different Subnets", in fact I've used to configure the /30 on my side. The problem is that the /30 CGNAT network don't have access to the Internet. So, the cluster IP don't have access to the Internet. And that is my issue. The ISP routes a /29 public network to the customer side through the /30, but as far as I know, I cannot NAT the self generated traffic behind that routed network.
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
> but as far as I know, I cannot NAT the self generated traffic behind that routed network.
Actually you can but cluster hide/fold which is enabled by default will interfere with your attempts to do so with a rule 0 NAT that takes precedence: sk34180: Outgoing connections from cluster members are sent with cluster Virtual IP address instead ...
So you'll need to disable cluster hide/fold. This will cause the two members to use their dedicated/fixed CGNAT addresses to initiate connections to the Internet. Now you need to add two manual NAT rules at the top like this, making sure that ExternalZone is properly associated with the outside interface:
CGNAT Member 1 Ext CGNAT IP ExternalZone Original /29_Addr_1 (Hide) Original Original Member1
CGNAT Member 2 Ext CGNAT IP ExternalZone Original /29_Addr_2 (Hide) Original Original Member2
It is possible to NAT firewall-initiated traffic because source NAT happens on the server side between o and O. It is not possible to NAT the destination IP of firewall-initiated traffic as that happens on client side between i and I. You might be able to get away with using a single /29 Internet-routable address for both members as the hide but try using two separate ones first.
March 27th with sessions for both the EMEA and Americas time zones
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Timothy,
I had a kind of supect that something like that was possible to do. It's Check Point, so everything is possible :D. And it seems at least a possibility to proceed.
I just have a little problem scratching my head with that solution. My Management is a Smart-1 Cloud. So, when I make those changes and push the policy to the gateway. Don't you think that I can have a little problem in the middle of the Installation. Do you think that the install will go until de end? Or it will fail because somewhere it that install it will loose access to the Internet?
Kind Regards.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the case of Smart-1 Cloud those two NATs should probably static rather than hide so the Smart-1 Cloud can initiate to the gateways. But yes, you may run into a situation where these NATs will interfere with management coming in from the Internet as opposed to the inside when you first install policy. If the traffic is dropped inappropriately by your policy a fw unloadlocal will not help since that will kill the NATting you are relying on too. Also control connections between the SMS and gateways sometimes seem to have their own rule 0 NATs that may interfere as well. Sounds like you need to schedule a nice long maintenance window to give it a shot and see what happens.
March 27th with sessions for both the EMEA and Americas time zones
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Yep, I will need to check and see. It will be one of those situations that I will only know if it works, if it works when I try. I will need to propose that to my customer and see what happens.
Anyway, many thanks for your input with the cluster hide/fold tip. I will try and let everyone knows the answer.
Kind regards.
