- Products
- Learn
- Local User Groups
- Partners
- More
CheckMates Fifth Birthday
Celebrate with Us!
days
hours
minutes
seconds
Join the CHECKMATES Everywhere Competition
Submit your picture to win!
Harmony Mobile 4:
New Version, New Capabilities
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hi Checkmates,
My goal is:
1. ClusterXL gateways connected to ISP routers using private addresses;
2. Public network advertised using BGP;
My doubts are:
1. Static route to public network (needed to advertise on BGP) should point to blackhole, loopback, other?
2. Can I NAT both gateways traffic to internet (updates)?
3. Can I terminate IPsec and SSL VPNs on gateways without any problem?
Appreciate all the help you can provide.
Cheers
You don't necessarily need a route for the public network at all on your gateway.
If you want other addresses accessible via those public IPs, you will need NAT rules of some sort.
For IPsec VPN, you'll need to configure the public static address in Link Selection to terminate VPNs.
SSL VPN should also work though I recall there might be a specific setting necessary to make this work as well.
Thank you for your post.
I think the static route is mandatory to advertise the network in BGP.
I'm currently migrating internet connection from ISP A using connected public network to ISP B with this setup. Hide NAT is working fine and both gateways are able to reach internet (I didn't had to configure any NAT for this!?)
The only issue I'm currently facing is the remote access VPN. I've made the adjustments in Link Selection but the clients, using either web portal or mobile access clients, are unable to connect. In the logs I can see that they connect to the new IP but after that the inexplicably try to connect to old public IP (somehow the gateway is "telling" them to connect to oldIP address).
Meanwhile I'm working with TAC.
Yes, you are correct.
BGP needs a route in the RIB (Routing Information Base) to select it as a valid BGP route to advertise.
This route needs to have the correct subnet mask as well.
Hence you may have to add a null or loopback route with the correct mask and network.
Then I usually set new routes with smaller subnets within that advertised network to the correct destinations.
Routing-wise, routes with a more exact match will be used over a larger network.
Therefore you can have both the big networks, and the smaller at the same time, without the bigger one used for BGP disturbing anything.
Antonio,
for the remote access problem have a look at
Remote Access clients can connect to VPN Gateway only once
and
Configuring VPN Link Selection for Remote Access client
You have to set the external public IP for the remote access clients. If not, they get the internal IP from your private link with the ISP router in the first connection and then they can't connect again because they try to reach the private IP.
I'm running a similar configuration with no public IPs on the gateway. I f you want use local running services on the gateway, like MOB or MTA or VPN you have to do NAT on your ISP router (forwarding public IP to local private IP on your gateway) or you have to assign a "fake" interface with one of your public IPs.
regards
Wolfgang
Wolfgang,
In option 2 do you mean using a DMZ to terminate the VPN? Does that mean I will need to allocate a /29 network or can I use sk32073 ?
regards
Antonio
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY