Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Contributor

ISP connection using private IP with routed public IP network

Jump to solution

Hi Checkmates,

 

My goal is:

1. ClusterXL gateways connected to ISP routers using private addresses;

2. Public network advertised using BGP;

My doubts are:

1. Static route to public network (needed to advertise on BGP) should point to blackhole, loopback, other?

2. Can I NAT both gateways traffic to internet (updates)?

3. Can I terminate IPsec and SSL VPNs on gateways without any problem?

 

Appreciate all the help you can provide.

Cheers

0 Kudos
Reply
1 Solution

Accepted Solutions
Leader
Leader
Antonio,

you can use private IPs for the cluster members IP addresses and use one of the public IPs with /32 as virtual cluster IP. You don't need to add any routes. No traffic will be leaving this interface, but the local services are listen on this IP.
Wolfgang

View solution in original post

7 Replies
Admin
Admin

You don't necessarily need a route for the public network at all on your gateway.
If you want other addresses accessible via those public IPs, you will need NAT rules of some sort.

For IPsec VPN, you'll need to configure the public static address in Link Selection to terminate VPNs.
SSL VPN should also work though I recall there might be a specific setting necessary to make this work as well.

0 Kudos
Reply
Contributor

Thank you for your post.

I think the static route is mandatory to advertise the network in BGP.

I'm currently migrating internet connection from ISP A using connected public network to ISP B with this setup. Hide NAT is working fine and both gateways are able to reach internet (I didn't had to configure any NAT for this!?)

The only issue I'm currently facing is the remote access VPN. I've made the adjustments in Link Selection but the clients, using either web portal or mobile access clients, are unable to connect. In the logs I can see that they connect to the new IP but after that the inexplicably try to connect to old public IP (somehow the gateway is "telling" them to connect to oldIP address).

Meanwhile I'm working with TAC.

 
0 Kudos
Reply
Participant

Yes, you are correct.
BGP needs a route in the RIB (Routing Information Base) to select it as a valid BGP route to advertise.
This route needs to have the correct subnet mask as well.

Hence you may have to add a null or loopback route with the correct mask and network.
Then I usually set new routes with smaller subnets within that advertised network to the correct destinations.

Routing-wise, routes with a more exact match will be used over a larger network.
Therefore you can have both the big networks, and the smaller at the same time, without the bigger one used for BGP disturbing anything.

0 Kudos
Reply
Leader
Leader

Antonio,

for the remote access problem have a look at 

Remote Access clients can connect to VPN Gateway only once 

and

Configuring VPN Link Selection for Remote Access client 

You have to set the external public IP for the remote access clients. If not, they get the internal IP from your private link with the ISP router in the first connection and then they can't connect again because they try to reach the private IP.

I'm running a similar configuration with no public IPs on the gateway. I f you want use local running services on the gateway, like MOB or MTA or VPN you have to do NAT on your ISP router (forwarding public IP to local private IP on your gateway) or you have to assign a "fake" interface with one of your public IPs.

regards

Wolfgang

Contributor

Wolfgang,

In option 2 do you mean using a DMZ to terminate the VPN? Does that mean I will need to allocate a /29 network or can I use sk32073 ?

regards

Antonio

0 Kudos
Reply
Leader
Leader
Antonio,

you can use private IPs for the cluster members IP addresses and use one of the public IPs with /32 as virtual cluster IP. You don't need to add any routes. No traffic will be leaving this interface, but the local services are listen on this IP.
Wolfgang

View solution in original post

Contributor
Excelent. It works!
0 Kudos
Reply