02-14-2020 09:34 AM
Hello,
I have a router point to 2 firewalls in a high availability cluster (Checkpoint firewall).
The firewall cluster has a virtual IP.
I need to configure a static route on my router when the virtual IP on the firewall in the outgoing IP (i.e ip route 10.x.x.x 255.255.255.0 [virtual ip] ).
However, this is not working as my packet keeps dropping. The cisco router is not seeing this virtual ip.
Is there a way to include a virtual ip in a static route?
Thank you
Solved! Go to Solution.
02-14-2020 11:32 AM
Since you are able to ping Firewall VIP so ideally this static route should work, check your firewall end for possible routing issues over VIP.
https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/Vip-ip-issue/td-p/23361
02-14-2020 09:39 AM
Hi,
There is no concept of virtual IP for the Cisco routers. So, the command you posted here (i.e ip route 10.x.x.x 255.255.255.0 [virtual ip of the firewall] ) is correct. Can you ping the IP address of the firewall? Can the firewall ping the IP address of the Cisco router?
HTH
02-14-2020 09:45 AM
The router can ping the virtual ip of the firewall. The firewall also can ping the router (individually of course)
However when i add the virtual ip in the static route, it drops the packet.
If i try to add a static route to 1 of the firewall in the cluster, it works. But i dont want this, i want it to hit the ACTIVE firewall. To hit the ACTIVE firewall, it needs the virtual IP.
Can you help please ?
02-14-2020 09:59 AM
So, you have 2 firewalls in cluster mode and one Cisco router? Are both firewalls physically connected to the router? Not familiar with the firewall but what type of Cisco device is that? Can you post the router config (sh run) and point out the interfaces connected to the firewalls?
HTH
02-14-2020 10:14 AM - edited 02-14-2020 10:14 AM
I have 2 checkpoint firewalls (per say FW-01 and FW-01 with ip 192.168.1.1/24 & 192.168.1.2/24 with virtual ip 192.168.1.3/24). Since the cluster is in High availability, one firewall will be on ACTIVE mode and the other on STANDBY. If the active goes down, the standby becomes active instantly. That's why i need to use the virtual IP rather than individual IPs of the firewall because the virtual ip will redirect to the ACTIVE firewall.
Now the config of my router:
MRU-ROUTER-CE#show run
Building configuration...
*Feb 14 18:11:35.619: %SYS-5-CONFIG_I: Configured from console by console
Current configuration : 4440 bytes
!
! Last configuration change at 18:11:35 UTC Fri Feb 14 2020
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MRU-ROUTER-CE
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$rUmt$FV9hZ.I754QD0Z/c.Lcag1
!
no aaa new-model
ethernet lmi ce
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip domain name th3pl4gu3.com
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
username admin secret 5 $1$BYsm$t829Rly3tUUHhrYpI62oV1
username mervin secret 5 $1$KSy6$UGm.q22xrSfaOShznYCwl/
!
redundancy
!
no cdp log mismatch duplex
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
description Link to INTERNET
ip address 172.30.43.70 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description Link to Mauritius Port-Louis Network
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
description Link to Mauritius Rose Hill Network
ip address 172.16.20.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/4
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/5
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/6
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/7
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list ACL_NAT interface GigabitEthernet0/0 overload
ip nat inside source static 172.16.0.10 172.30.43.71
ip route 0.0.0.0 0.0.0.0 172.30.43.3
ip route 10.0.0.0 255.255.255.0 192.168.1.3
ip route 172.16.0.0 255.255.255.0 192.168.1.1
ip route 172.16.0.0 255.255.255.0 192.168.1.2
ip ssh version 2
!
ip access-list standard ACL_NAT
permit 192.168.1.0 0.0.0.255
permit 10.0.0.0 0.0.0.255
!
!
!
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login local
transport input ssh
!
no scheduler allocate
!
end
Version of IOS: 15.6(2)T
Interface G0/1 is facing the firewall.
10.0.0.0 /24 is the network that i want to reach through the virtual ip of the firewall.
Hope this helps...
02-14-2020 10:30 AM
My configuration on the router is:
MRU-ROUTER-CE#show run
Building configuration...
*Feb 14 18:11:35.619: %SYS-5-CONFIG_I: Configured from console by console
Current configuration : 4440 bytes
!
! Last configuration change at 18:11:35 UTC Fri Feb 14 2020
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MRU-ROUTER-CE
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$rUmt$FV9hZ.I754QD0Z/c.Lcag1
!
no aaa new-model
ethernet lmi ce
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip domain name th3pl4gu3.com
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
username admin secret 5 $1$BYsm$t829Rly3tUUHhrYpI62oV1
username mervin secret 5 $1$KSy6$UGm.q22xrSfaOShznYCwl/
!
redundancy
!
no cdp log mismatch duplex
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
description Link to INTERNET
ip address 172.30.43.70 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description Link to Mauritius Port-Louis Network
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
description Link to Mauritius Rose Hill Network
ip address 172.16.20.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/4
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/5
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/6
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/7
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list ACL_NAT interface GigabitEthernet0/0 overload
ip nat inside source static 172.16.0.10 172.30.43.71
ip route 0.0.0.0 0.0.0.0 172.30.43.3
ip route 10.0.0.0 255.255.255.0 192.168.1.3
ip route 172.16.0.0 255.255.255.0 192.168.1.1
ip route 172.16.0.0 255.255.255.0 192.168.1.2
ip ssh version 2
!
ip access-list standard ACL_NAT
permit 192.168.1.0 0.0.0.255
permit 10.0.0.0 0.0.0.255
!
!
!
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login local
transport input ssh
!
no scheduler allocate
!
end
The IOS version is 15.6
The interface facing towards the router is G0/1
I have 2 Physical Firewall in cluster. (let's say FW-01 (192.168.1.1) & FW-02 (192.168.1.2))
Since the cluster is configured in High Availability mode, one is ACTIVE and the other is in standby.
The virtual ip will redirect the traffic to the active firewall always.
That's why i need the virtual ip in the static route instead of individual firewall IPs.
02-14-2020 11:32 AM
Since you are able to ping Firewall VIP so ideally this static route should work, check your firewall end for possible routing issues over VIP.
https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/Vip-ip-issue/td-p/23361
02-14-2020 10:38 PM
It was an issue on virtual MAC!
Thank you so much for this post!
02-14-2020 12:50 PM
I have 2 Physical Firewall in cluster. (let's say FW-01 (192.168.1.1) & FW-02 (192.168.1.2)
That's why i need the virtual ip in the static route instead of individual firewall IPs
The virtual IP should be configured on the firewalls first before it can be added to the router
So, on the firewall:
FW-01 192.168.1.1
FW-02 192.168.1.2
Virtual IP 192.168.1.3
on the router:
ip route <ip and mask> 192.168.1.3
I think you already have this on the router
HTH
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide