This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Antonio_Martins
Contributor
‎2020-03-05 01:29 PM

ISP connection using private IP with routed public IP network

Jump to solution

Hi Checkmates,

 

My goal is:

1. ClusterXL gateways connected to ISP routers using private addresses;

2. Public network advertised using BGP;

My doubts are:

1. Static route to public network (needed to advertise on BGP) should point to blackhole, loopback, other?

2. Can I NAT both gateways traffic to internet (updates)?

3. Can I terminate IPsec and SSL VPNs on gateways without any problem?

 

Appreciate all the help you can provide.

Cheers

0 Kudos
1 Solution

Accepted Solutions
Wolfgang
Mentor
Mentor
‎2020-03-08 10:03 AM
In response to Antonio_Martins

Jump to solution
Antonio,

you can use private IPs for the cluster members IP addresses and use one of the public IPs with /32 as virtual cluster IP. You don't need to add any routes. No traffic will be leaving this interface, but the local services are listen on this IP.
Wolfgang

View solution in original post

7 Replies
PhoneBoy
Admin
Admin
‎2020-03-07 06:56 PM

Jump to solution

You don't necessarily need a route for the public network at all on your gateway.
If you want other addresses accessible via those public IPs, you will need NAT rules of some sort.

For IPsec VPN, you'll need to configure the public static address in Link Selection to terminate VPNs.
SSL VPN should also work though I recall there might be a specific setting necessary to make this work as well.

0 Kudos
Antonio_Martins
Contributor
‎2020-03-08 01:53 AM
In response to PhoneBoy

Jump to solution

Thank you for your post.

I think the static route is mandatory to advertise the network in BGP.

I'm currently migrating internet connection from ISP A using connected public network to ISP B with this setup. Hide NAT is working fine and both gateways are able to reach internet (I didn't had to configure any NAT for this!?)

The only issue I'm currently facing is the remote access VPN. I've made the adjustments in Link Selection but the clients, using either web portal or mobile access clients, are unable to connect. In the logs I can see that they connect to the new IP but after that the inexplicably try to connect to old public IP (somehow the gateway is "telling" them to connect to oldIP address).

Meanwhile I'm working with TAC.

 
0 Kudos
HenrikJ
Participant
‎2020-03-08 04:37 AM
In response to Antonio_Martins

Jump to solution

Yes, you are correct.
BGP needs a route in the RIB (Routing Information Base) to select it as a valid BGP route to advertise.
This route needs to have the correct subnet mask as well.

Hence you may have to add a null or loopback route with the correct mask and network.
Then I usually set new routes with smaller subnets within that advertised network to the correct destinations.

Routing-wise, routes with a more exact match will be used over a larger network.
Therefore you can have both the big networks, and the smaller at the same time, without the bigger one used for BGP disturbing anything.

0 Kudos
Wolfgang
Mentor
Mentor
‎2020-03-08 05:32 AM
In response to Antonio_Martins

Jump to solution

Antonio,

for the remote access problem have a look at 

Remote Access clients can connect to VPN Gateway only once 

and

Configuring VPN Link Selection for Remote Access client 

You have to set the external public IP for the remote access clients. If not, they get the internal IP from your private link with the ISP router in the first connection and then they can't connect again because they try to reach the private IP.

I'm running a similar configuration with no public IPs on the gateway. I f you want use local running services on the gateway, like MOB or MTA or VPN you have to do NAT on your ISP router (forwarding public IP to local private IP on your gateway) or you have to assign a "fake" interface with one of your public IPs.

regards

Wolfgang

Antonio_Martins
Contributor
‎2020-03-08 05:46 AM
In response to Wolfgang

Jump to solution

Wolfgang,

In option 2 do you mean using a DMZ to terminate the VPN? Does that mean I will need to allocate a /29 network or can I use sk32073 ?

regards

Antonio

0 Kudos
Wolfgang
Mentor
Mentor
‎2020-03-08 10:03 AM
In response to Antonio_Martins

Jump to solution
Antonio,

you can use private IPs for the cluster members IP addresses and use one of the public IPs with /32 as virtual cluster IP. You don't need to add any routes. No traffic will be leaving this interface, but the local services are listen on this IP.
Wolfgang
Antonio_Martins
Contributor
‎2020-03-09 02:10 PM
In response to Wolfgang

Jump to solution
Excelent. It works!
0 Kudos