This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
joerivang
Contributor
‎2026-01-23 03:49 AM
Jump to solution

Advertising non existing networks (encryption domain) into BGP - Blackhole Route or NAT-Pools

Hi all,

We're currently converting our network from static to dynamic routing with BGP. I use a firewall for many site-to-site VPN's we have, so i need to advertise networks that are not in the routing table.

I cannot use Routing Injection Mechanism, because for this i need permanent tunnels and they're only available between two Check Point gateways. 

I thought of using NAT-Pools as they're available to redistribute and able to be added to a route map. However I also see that it's possible to create static blackhole routes and redistribute them the same way. 

What would be the benefit of using one over the other? The only thing i see is that you cannot do route aggregation with NAT-Pools. 

Will the site-to-site VPN's remain to work when i add a blackhole route for that network? What has precedence? A blackhole route, or a VPN community?

Labels
0 Kudos
1 Solution

Accepted Solutions
CheckPointerXL
Advisor
Advisor
‎2026-01-23 11:50 PM
Jump to solution

nat pools 

https://support.checkpoint.com/results/sk/sk179549

 

View solution in original post

17 Replies
joerivang
Contributor
‎2026-01-23 07:01 AM
Jump to solution

When labbing, creating a static blackhole route (even when it's less specific than the encryption domain), traffic doesn't pass. So it seems that a static blackhole route is not an option, and the only option i have is creating NAT Pools.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-01-23 07:13 AM
In response to joerivang
Jump to solution

Hey Joe,

Do you have anything configured as per below?

Screenshot_1.png

Screenshot_2.png

  

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
joerivang
Contributor
‎2026-01-23 07:34 AM
In response to the_rock
Jump to solution

My configuration is below (left out all the snippets that are not relevant):

set nat-pool 172.16.160.0/21
set nat-pool 172.16.160.0/21 comment "Customer support client VPN range"

set routemap export_all_to_bgp id 1 on
set routemap export_all_to_bgp id 1 match protocol nat-pool
set routemap export_all_to_bgp id 1 match protocol direct

set bgp external remote-as 65000.3 export-routemap export_all_to_bgp preference 1 on

Output of "show route" (you see, there's no entry for the 172.16.160.0/21 network, as this is remote access VPN as example):

FW3> show route
Codes: C - Connected, S - Static, R - RIP, B - BGP (D - Default),
       O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA),
       IS - IS-IS (L1 - Level 1, L2 - Level 2, IA - InterArea, E - External),
       A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed,
       NP - NAT Pool, U - Unreachable, i - Inactive

S               0.0.0.0/0           via x.x.x.x, bond1, cost 0, age 20839158
S               10.0.0.0/8          via 172.16.1.31, bond2, cost 0, age 4353068
S               10.5.0.0/16         via 172.16.1.40, bond2, cost 0, age 4353068
S               10.100.0.0/16       via 172.16.1.34, bond2, cost 0, age 4353068
S               10.101.0.0/16       via 172.16.1.34, bond2, cost 0, age 4353068
S               10.102.0.0/16       via 172.16.1.34, bond2, cost 0, age 4353068
S               10.103.0.0/16       via 172.16.1.34, bond2, cost 0, age 4353068
S               10.104.0.0/16       via 172.16.1.34, bond2, cost 0, age 4353068
S               10.105.0.0/16       via 172.16.1.34, bond2, cost 0, age 4353068
S               10.106.0.0/16       via 172.16.1.34, bond2, cost 0, age 4353068
S               10.107.0.0/16       via 172.16.1.34, bond2, cost 0, age 4353068
S               10.108.0.0/16       via 172.16.1.34, bond2, cost 0, age 4353068
S               10.109.0.0/16       via 172.16.1.34, bond2, cost 0, age 4353068
S               10.110.0.0/16       via 172.16.1.40, bond2, cost 0, age 4353068
S               10.111.0.0/16       via 172.16.1.40, bond2, cost 0, age 4353068
S               10.112.0.0/16       via 172.16.1.40, bond2, cost 0, age 4353068
S               10.116.0.0/16       via 172.16.1.34, bond2, cost 0, age 4353068
C               127.0.0.0/8         is directly connected, lo
S               172.16.0.0/12       via 172.16.1.31, bond2, cost 0, age 4353068
C               172.16.1.0/24       is directly connected, bond2
                                        LAN
C               172.16.7.16/30      is directly connected, bond0
                                        Sync
S               172.16.23.0/24      via 172.16.1.34, bond2, cost 0, age 4353068
S               172.16.25.0/24      via 172.16.1.34, bond2, cost 0, age 4353068
S               192.168.0.0/16      via 172.16.1.31, bond2, cost 0, age 4353068
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-01-23 07:37 AM
In response to joerivang
Jump to solution

I dont believe you need this line:

set routemap export_all_to_bgp id 1 match protocol nat-pool
Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
joerivang
Contributor
‎2026-01-23 07:38 AM
In response to the_rock
Jump to solution

Yes that is needed, because i actually need to inject this network into BGP (or any dynamic protocol for that matter). I cannot redistribute this network from any other protocol as a route simply doesn't exist for this network. 

See also my "show route" output i provided as update on earlier post.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-01-23 07:39 AM
In response to joerivang
Jump to solution

Give me few mins, will send you an example my colleague and I did for a large customer few years ago that worked fine.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
joerivang
Contributor
‎2026-01-23 07:44 AM
In response to the_rock
Jump to solution

I can redistribute from NAT pool or a route map, that really doesn't matter for the challenge ahead. It's more the question if there's any other possibility that I've overlooked 😀

Redistributing from a route map because then for every other BGP peer i only have to redistribute from that routemap, and not select all protocols for each peer.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-01-23 07:53 AM
In response to joerivang
Jump to solution

Example, as promised:

set routemap ospf-to-bgp-100 id 10 match prefix-list VOIP_PL_OUT preference 10 on
set routemap ospf-to-bgp-100 id 10 match protocol ospf2
set routemap ospf-to-bgp-100 id 10 action localpref 100
set routemap ospf-to-bgp-100 id 20 on
set routemap ospf-to-bgp-100 id 20 allow
set routemap ospf-to-bgp-100 id 20 match prefix-list VOIP_PL_OUT preference 10 on
set routemap ospf-to-bgp-100 id 20 match protocol ospf2ase

 

*********************

set prefix-list VOIP_PL_OUT sequence-number 10 prefix x.x.x.0/24 all
set prefix-list VOIP_PL_OUT sequence-number 20 prefix x.x.x.0/24 exact
set prefix-list VOIP_PL_OUT sequence-number 30 prefix 172.27.0.0/16 all
set prefix-list VOIP_PL_OUT sequence-number 40 prefix x.x.x.x.0/24 exact
set prefix-list VOIP_PL_OUT sequence-number 50 prefix x.x.x.x.0/24 exact
set prefix-list VOIP_PL_OUT sequence-number 80 prefix 10.224.1.0/24 all
set prefix-list VOIP_PL_OUT sequence-number 90 prefix 10.224.98.0/24 all
set prefix-list VOIP_PL_OUT sequence-number 100 prefix 10.224.99.0/24 all
set prefix-list VOIP_PL_OUT sequence-number 110 prefix 172.17.10.0/24 all

 

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
joerivang
Contributor
‎2026-01-23 08:01 AM
In response to the_rock
Jump to solution

Will lab this to see if a network that is not connected but is inside of a prefix list get's redistributed, thanks for the insights!

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-01-23 08:02 AM
In response to joerivang
Jump to solution

Great! If you need any more info, let me know.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-01-25 02:30 PM
In response to joerivang
Jump to solution

Looks like link @CheckPointerXL sent is definitely related.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
joerivang
Contributor
‎2026-01-26 03:45 AM
In response to the_rock
Jump to solution

That was also what i was referring to in my original post. Haven't linked the SK though.

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2026-01-23 07:51 AM
In response to joerivang
Jump to solution

Yeah, blackhole routes eat the traffic between I and o.

Why not just add static routes sending the traffic out to your default gateway? Then the route would exist, and you could redistribute it from static into BGP.

0 Kudos
joerivang
Contributor
‎2026-01-23 08:00 AM
In response to Bob_Zimmerman
Jump to solution

That would also be a very cool idea that I've not yet thought of. Thanks for the insights.

0 Kudos
CheckPointerXL
Advisor
Advisor
‎2026-01-23 11:50 PM
Jump to solution

nat pools 

https://support.checkpoint.com/results/sk/sk179549

 

the_rock
MVP Diamond
MVP Diamond
‎2026-01-24 01:35 AM
In response to CheckPointerXL
Jump to solution

That might be it.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
joerivang
Contributor
‎2026-01-26 03:46 AM
In response to CheckPointerXL
Jump to solution

Thanks, that was also what i was referring to in my post, haven't seen the SK yet so thanks for that!

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events