This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Antonio_Martins
Contributor
‎2020-03-05 01:29 PM
Jump to solution

ISP connection using private IP with routed public IP network

Hi Checkmates,

 

My goal is:

1. ClusterXL gateways connected to ISP routers using private addresses;

2. Public network advertised using BGP;

My doubts are:

1. Static route to public network (needed to advertise on BGP) should point to blackhole, loopback, other?

2. Can I NAT both gateways traffic to internet (updates)?

3. Can I terminate IPsec and SSL VPNs on gateways without any problem?

 

Appreciate all the help you can provide.

Cheers

0 Kudos
2 Solutions

Accepted Solutions
Wolfgang
Authority
Authority
‎2020-03-08 10:03 AM
In response to Antonio_Martins
Jump to solution

Antonio,

you can use private IPs for the cluster members IP addresses and use one of the public IPs with /32 as virtual cluster IP. You don't need to add any routes. No traffic will be leaving this interface, but the local services are listen on this IP.
Wolfgang

View solution in original post

Chris_Atkinson
Employee Employee
Employee
‎2022-09-28 04:10 AM
In response to dphonovation
Jump to solution

If the VIP is a public IP it should work otherwise there is another NAT layer required.

If you assigned the external interface address from the BGP ranges you would then be trying to not fold traffic to the provided "private" VIP.

Some of this could be solved with a router external to the firewalls or perhaps with discussion with the ISP rather than trying to "bend" things.

 

 

CCSM R77/R80/ELITE

View solution in original post

10 Replies
PhoneBoy
Admin
Admin
‎2020-03-07 06:56 PM
Jump to solution

You don't necessarily need a route for the public network at all on your gateway.
If you want other addresses accessible via those public IPs, you will need NAT rules of some sort.

For IPsec VPN, you'll need to configure the public static address in Link Selection to terminate VPNs.
SSL VPN should also work though I recall there might be a specific setting necessary to make this work as well.

0 Kudos
Antonio_Martins
Contributor
‎2020-03-08 01:53 AM
In response to PhoneBoy
Jump to solution

Thank you for your post.

I think the static route is mandatory to advertise the network in BGP.

I'm currently migrating internet connection from ISP A using connected public network to ISP B with this setup. Hide NAT is working fine and both gateways are able to reach internet (I didn't had to configure any NAT for this!?)

The only issue I'm currently facing is the remote access VPN. I've made the adjustments in Link Selection but the clients, using either web portal or mobile access clients, are unable to connect. In the logs I can see that they connect to the new IP but after that the inexplicably try to connect to old public IP (somehow the gateway is "telling" them to connect to oldIP address).

Meanwhile I'm working with TAC.

 
0 Kudos
HenrikJ
Participant
‎2020-03-08 04:37 AM
In response to Antonio_Martins
Jump to solution

Yes, you are correct.
BGP needs a route in the RIB (Routing Information Base) to select it as a valid BGP route to advertise.
This route needs to have the correct subnet mask as well.

Hence you may have to add a null or loopback route with the correct mask and network.
Then I usually set new routes with smaller subnets within that advertised network to the correct destinations.

Routing-wise, routes with a more exact match will be used over a larger network.
Therefore you can have both the big networks, and the smaller at the same time, without the bigger one used for BGP disturbing anything.

0 Kudos
Wolfgang
Authority
Authority
‎2020-03-08 05:32 AM
In response to Antonio_Martins
Jump to solution

Antonio,

for the remote access problem have a look at 

Remote Access clients can connect to VPN Gateway only once 

and

Configuring VPN Link Selection for Remote Access client 

You have to set the external public IP for the remote access clients. If not, they get the internal IP from your private link with the ISP router in the first connection and then they can't connect again because they try to reach the private IP.

I'm running a similar configuration with no public IPs on the gateway. I f you want use local running services on the gateway, like MOB or MTA or VPN you have to do NAT on your ISP router (forwarding public IP to local private IP on your gateway) or you have to assign a "fake" interface with one of your public IPs.

regards

Wolfgang

Antonio_Martins
Contributor
‎2020-03-08 05:46 AM
In response to Wolfgang
Jump to solution

Wolfgang,

In option 2 do you mean using a DMZ to terminate the VPN? Does that mean I will need to allocate a /29 network or can I use sk32073 ?

regards

Antonio

0 Kudos
Wolfgang
Authority
Authority
‎2020-03-08 10:03 AM
In response to Antonio_Martins
Jump to solution

Antonio,

you can use private IPs for the cluster members IP addresses and use one of the public IPs with /32 as virtual cluster IP. You don't need to add any routes. No traffic will be leaving this interface, but the local services are listen on this IP.
Wolfgang
Antonio_Martins
Contributor
‎2020-03-09 02:10 PM
In response to Wolfgang
Jump to solution

Excelent. It works!
0 Kudos
dphonovation
Collaborator
‎2022-09-27 10:32 AM
In response to Wolfgang
Jump to solution

Sorry to revive an old thread but I have a similar setup to OP and I'm confused.

My cluster members are 172.17.0.2 and 172.17.0.3. And their VIP is 100.64.76.125 - ie: all private.

I BGP peer with 100.64.76.124 and advertise 81.189.139.96/27 as my publically reachable BGP range. (Since it's 2 years later and I'm on 81.10 I'm using NAT pool to do this).

How do I then get my cluster members external internet access (for instance, to facilitate CP updates) to NAT their traffic behind 81.189.139.97 (the first ip in the public /27)?

OP says this just worked for him but I'm confused how.

I get the part about setting a static IP address for VPN Link Selection.

 

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-09-28 04:10 AM
In response to dphonovation
Jump to solution

If the VIP is a public IP it should work otherwise there is another NAT layer required.

If you assigned the external interface address from the BGP ranges you would then be trying to not fold traffic to the provided "private" VIP.

Some of this could be solved with a router external to the firewalls or perhaps with discussion with the ISP rather than trying to "bend" things.

 

 

CCSM R77/R80/ELITE
dphonovation
Collaborator
‎2022-10-04 04:34 PM
In response to Chris_Atkinson
Jump to solution

I did exactly this. I split my first /27 into /29's. Took the first of 4 /29's and split it into /31s and had the ISP use that for direct peering. I then advertised the remaining 3 /29s with BGP.

Thank you

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events