Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2340
Views
10
Helpful
7
Replies

passing BGP thru a Checkpoint firewall

saimbt
Level 1
Level 1

‎12-20-2007 08:43 PM - edited ‎03-03-2019 08:00 PM

I have the following scenario

rtr1 --- checkpt -- rtr2 ---rtr3

We want to run bgp with private AS between rtr1 and rtr2 and public AS between rtr2 and rtr3

If I open TCP port 179 on the checkpt firewall, BGP between rtr1 and rtr2 would begin.

should I add a static route on the checkpt firewall for the networks behind the rtr1.

how will redistribution work betn the private AS and public AS?

-Sai.

Labels:
0 Helpful
7 Replies 7

Danilo Dy
VIP Alumni
VIP Alumni

‎12-20-2007 10:18 PM

Hi,

That would be BGP multihop, checkpoint firewall will act as a hop router.

rtr1 gateway is checkpoint firewall

checkpoint firewall need a route of network behind rtr1 to rtr1

checkpoint firewall gateway is rtr2

http://www.cisco.com/warp/public/459/32.html

Why would you like to have BGP peering between rtr1 and rtr2? Are you using public ip behind rtr1? Would'nt it be much easier to use static routing?

Regards,

Dandy

0 Helpful

saimbt
Level 1
Level 1
In response to Danilo Dy

‎12-20-2007 10:27 PM

Hi Dandy,

thanks for the quick one.

We dont want manual intervention, hence we want dynamic routing between rtr1 and rtr2.

BGP has been thought for better route selection options.

-Sai.

0 Helpful

Danilo Dy
VIP Alumni
VIP Alumni
In response to saimbt

‎12-20-2007 10:32 PM

Hi,

I hope there's no BGP from rtr1 to internet as you will encounter asymmetric and checkpoint will drop it since its not stateful.

BTW, in which platform your checkpoint is running? Nokia/IPSO can run BGP/OSPF/RIP.

Regards,

Dandy

0 Helpful

saimbt
Level 1
Level 1
In response to Danilo Dy

‎12-20-2007 11:10 PM

Dandy,

there is no internet from rtr1.

I am running Checkpt on Nortel Alteon. it does support BGP/OSPF/RIP.

My question is once the BGP peering is formed between rtr1 and rtr2, for every network behind rtr1 a reverse static route needs to be added on the checkpt pointing towards rtr1 and for all forward routes a route needs to be added on the checkpt pointing towards rtr2

-Sai

0 Helpful

Danilo Dy
VIP Alumni
VIP Alumni
In response to saimbt

‎12-20-2007 11:32 PM

Hi,

Just follow the same...

rtr1 gateway is checkpoint firewall

checkpoint firewall need a route of network behind rtr1 to rtr1

checkpoint firewall gateway is rtr2

...and you need to statically route the IP address of rtr1 and rtr2 you need for BGP multihop peering

Regards,

Dandy

saimbt
Level 1
Level 1
In response to Danilo Dy

‎12-20-2007 11:36 PM

Bingo... I got the answer....

My boss was saying that upon enabling BGP there is no need for any static routes on the firewall.

In the true sense for every new network getting introduced behind rtr1, I need to manually add the network on the checkpoint pointing towards rtr1.

-Sai.

0 Helpful

Danilo Dy
VIP Alumni
VIP Alumni
In response to saimbt

‎12-20-2007 11:41 PM

Hi,

Correct.

I have a similar setup but not using firewall :)

For upstream since its internet, use default route from rtr1 to firewal and from firewall to rtr2 to minimize the change. For downstream since you know the networks that will be added behind rtr1, add them in the firewall to rtr1.

Regards,

Dandy

Top