This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Lars_de_Mooy
Participant
‎2024-09-25 05:56 AM
Jump to solution

BGP address used on partner network

Hi all,

We have some question about BGP and the (HideNAT ?)  address we are using when we access the network behind the BGP routers of the partner.

We have a BGP configuration. we have Datacenter A and Datacenter B. In Datacetnter A we have one checkpoint cluster node. In Datacenter B we have one checkpoint cluster node. In both datacenters we have a BGP router from an external partner. Two checkpoint interfaces and two BGP peer interfaces are in samen vlan. vlans are all transported over sitelink interconnect The two checkpoint interfaces used for the BGP are having a cluster address. This address is used in a hide nat rule so we access the partner network with this address.

The partner wants us to use a diferent address then the cluster address and a address that is not directly attached to the cluster. We are ordered not to use any address that is used to setup the BGP sessions. We need to advertise this address to the partner so BGP knows where the traffic needs to be delivered. Can someone please have a look at the visio we dont know how we can use the given network address to acces the partners network. Normally we use the cluster address for this but as we now learned BGP need a diferent configuration. I hope someone can help us out.

I now notice that the question could be made some more clear bij adding this comment.

What we want to achieve is that we use 10.20.50.14/31 as the source when we access the partner network behind the BGP.

We want to advertise 10.20.50.14/31 to the partner so that it knows this route leads to our environment.

 

We are now using 10.20.30.51 in a hide nat rule, this is working, but not desired because it can break the BGP. How its done now works because the routers are on the same subnet and use arp and not the BGP route i advertise...

 

Screenshot CP.png
Preview file
88 KB
0 Kudos
1 Solution

Accepted Solutions
Chris_Atkinson
Employee Employee
Employee
‎2024-09-25 06:14 AM
Jump to solution

There is a feature that we call NAT pools that will help with this if I understand your requirements.

The remainder is standard BGP and NAT config, please review the above and advise which part if any you are stuck with from there?

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_Gaia_Advanced_Routing_AdminG...

CCSM R77/R80/ELITE

View solution in original post

4 Replies
Chris_Atkinson
Employee Employee
Employee
‎2024-09-25 06:14 AM
Jump to solution

There is a feature that we call NAT pools that will help with this if I understand your requirements.

The remainder is standard BGP and NAT config, please review the above and advise which part if any you are stuck with from there?

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_Gaia_Advanced_Routing_AdminG...

CCSM R77/R80/ELITE
Lars_de_Mooy
Participant
‎2024-09-25 06:47 AM
In response to Chris_Atkinson
Jump to solution

Hi Chris, thanks i think this could be what i need.

Can you please advice on what to do next, i assume i need to do this on both members;

Create the natpool on both members 10.20.50.14/31.

Then advanced routing -> route redistribution -> add redistribution from "nat pool" in the to protocol field "BGP AS AS4200030961"

and Then advanced routing -> route redistribution -> add redistribution from "nat pool" in the to protocol field "BGP AS AS4200030962"

this is how i advertise my natpool to the bgp peers ?

I dont understand how the traffic from the partner knows what to do with the traffic sended to the natpool.

This traffic is not part of any of the interfaces ?

Do i still need a hide nat rule and hide my outbound traffic behind the natpool address ?

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2024-09-25 06:57 AM
In response to Lars_de_Mooy
Jump to solution

Yes you still need NAT rules for the address you want the traffic to appear from.

The NAT pool itself simply provides a mechanism to have these addresses participate in routing protocol advertisements.

CCSM R77/R80/ELITE
Lars_de_Mooy
Participant
‎2024-09-26 09:46 AM
In response to Chris_Atkinson
Jump to solution

Hi all is working now, except for one small issue.

The juniper routers that we have the BGP sessions with are not updating the MAC addresses quick enough on cluster failover.

Is there any way to use a VMAC only on only one interface or something like that ?

I see the option in my cluster to enable VMAC but i am a bit worried to use this option and it may cause network outage because my whole cluster uses a VMAC all of a sudden ....

 

Hope to hear back from you thanks in advance.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top