Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Antonio_Martins
Contributor

ISP connection using private IP with routed public IP network

Jump to solution

Hi Checkmates,

 

My goal is:

1. ClusterXL gateways connected to ISP routers using private addresses;

2. Public network advertised using BGP;

My doubts are:

1. Static route to public network (needed to advertise on BGP) should point to blackhole, loopback, other?

2. Can I NAT both gateways traffic to internet (updates)?

3. Can I terminate IPsec and SSL VPNs on gateways without any problem?

 

Appreciate all the help you can provide.

Cheers

0 Kudos
1 Solution

Accepted Solutions
Wolfgang
Mentor
Mentor
Antonio,

you can use private IPs for the cluster members IP addresses and use one of the public IPs with /32 as virtual cluster IP. You don't need to add any routes. No traffic will be leaving this interface, but the local services are listen on this IP.
Wolfgang

View solution in original post

9 Replies
PhoneBoy
Admin
Admin

You don't necessarily need a route for the public network at all on your gateway.
If you want other addresses accessible via those public IPs, you will need NAT rules of some sort.

For IPsec VPN, you'll need to configure the public static address in Link Selection to terminate VPNs.
SSL VPN should also work though I recall there might be a specific setting necessary to make this work as well.

0 Kudos
Antonio_Martins
Contributor

Thank you for your post.

I think the static route is mandatory to advertise the network in BGP.

I'm currently migrating internet connection from ISP A using connected public network to ISP B with this setup. Hide NAT is working fine and both gateways are able to reach internet (I didn't had to configure any NAT for this!?)

The only issue I'm currently facing is the remote access VPN. I've made the adjustments in Link Selection but the clients, using either web portal or mobile access clients, are unable to connect. In the logs I can see that they connect to the new IP but after that the inexplicably try to connect to old public IP (somehow the gateway is "telling" them to connect to oldIP address).

Meanwhile I'm working with TAC.

 
0 Kudos
HenrikJ
Participant

Yes, you are correct.
BGP needs a route in the RIB (Routing Information Base) to select it as a valid BGP route to advertise.
This route needs to have the correct subnet mask as well.

Hence you may have to add a null or loopback route with the correct mask and network.
Then I usually set new routes with smaller subnets within that advertised network to the correct destinations.

Routing-wise, routes with a more exact match will be used over a larger network.
Therefore you can have both the big networks, and the smaller at the same time, without the bigger one used for BGP disturbing anything.

0 Kudos
Wolfgang
Mentor
Mentor

Antonio,

for the remote access problem have a look at 

Remote Access clients can connect to VPN Gateway only once 

and

Configuring VPN Link Selection for Remote Access client 

You have to set the external public IP for the remote access clients. If not, they get the internal IP from your private link with the ISP router in the first connection and then they can't connect again because they try to reach the private IP.

I'm running a similar configuration with no public IPs on the gateway. I f you want use local running services on the gateway, like MOB or MTA or VPN you have to do NAT on your ISP router (forwarding public IP to local private IP on your gateway) or you have to assign a "fake" interface with one of your public IPs.

regards

Wolfgang

Antonio_Martins
Contributor

Wolfgang,

In option 2 do you mean using a DMZ to terminate the VPN? Does that mean I will need to allocate a /29 network or can I use sk32073 ?

regards

Antonio

0 Kudos
Wolfgang
Mentor
Mentor
Antonio,

you can use private IPs for the cluster members IP addresses and use one of the public IPs with /32 as virtual cluster IP. You don't need to add any routes. No traffic will be leaving this interface, but the local services are listen on this IP.
Wolfgang
Antonio_Martins
Contributor
Excelent. It works!
0 Kudos
dphonovation
Explorer

Sorry to revive an old thread but I have a similar setup to OP and I'm confused.

My cluster members are 172.17.0.2 and 172.17.0.3. And their VIP is 100.64.76.125 - ie: all private.

I BGP peer with 100.64.76.124 and advertise 81.189.139.96/27 as my publically reachable BGP range. (Since it's 2 years later and I'm on 81.10 I'm using NAT pool to do this).

How do I then get my cluster members external internet access (for instance, to facilitate CP updates) to NAT their traffic behind 81.189.139.97 (the first ip in the public /27)?

OP says this just worked for him but I'm confused how.

I get the part about setting a static IP address for VPN Link Selection.

 

0 Kudos
Chris_Atkinson
Employee
Employee

If the VIP is a public IP it should work otherwise there is another NAT layer required.

If you assigned the external interface address from the BGP ranges you would then be trying to not fold traffic to the provided "private" VIP.

Some of this could be solved with a router external to the firewalls or perhaps with discussion with the ISP rather than trying to "bend" things.

 

 

0 Kudos