passing BGP thru a Checkpoint firewall

Unanswered Question
Dec 20th, 2007
User Badges:

I have the following scenario


rtr1 --- checkpt -- rtr2 ---rtr3


We want to run bgp with private AS between rtr1 and rtr2 and public AS between rtr2 and rtr3


If I open TCP port 179 on the checkpt firewall, BGP between rtr1 and rtr2 would begin.


should I add a static route on the checkpt firewall for the networks behind the rtr1.


how will redistribution work betn the private AS and public AS?


-Sai.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Danilo Dy Thu, 12/20/2007 - 22:18
User Badges:
  • Blue, 1500 points or more

Hi,


That would be BGP multihop, checkpoint firewall will act as a hop router.


rtr1 gateway is checkpoint firewall

checkpoint firewall need a route of network behind rtr1 to rtr1

checkpoint firewall gateway is rtr2


http://www.cisco.com/warp/public/459/32.html


Why would you like to have BGP peering between rtr1 and rtr2? Are you using public ip behind rtr1? Would'nt it be much easier to use static routing?


Regards,

Dandy




saimbt Thu, 12/20/2007 - 22:27
User Badges:

Hi Dandy,


thanks for the quick one.


We dont want manual intervention, hence we want dynamic routing between rtr1 and rtr2.


BGP has been thought for better route selection options.


-Sai.

Danilo Dy Thu, 12/20/2007 - 22:32
User Badges:
  • Blue, 1500 points or more

Hi,


I hope there's no BGP from rtr1 to internet as you will encounter asymmetric and checkpoint will drop it since its not stateful.


BTW, in which platform your checkpoint is running? Nokia/IPSO can run BGP/OSPF/RIP.


Regards,

Dandy

saimbt Thu, 12/20/2007 - 23:10
User Badges:

Dandy,


there is no internet from rtr1.


I am running Checkpt on Nortel Alteon. it does support BGP/OSPF/RIP.


My question is once the BGP peering is formed between rtr1 and rtr2, for every network behind rtr1 a reverse static route needs to be added on the checkpt pointing towards rtr1 and for all forward routes a route needs to be added on the checkpt pointing towards rtr2


-Sai

Danilo Dy Thu, 12/20/2007 - 23:32
User Badges:
  • Blue, 1500 points or more

Hi,


Just follow the same...

rtr1 gateway is checkpoint firewall

checkpoint firewall need a route of network behind rtr1 to rtr1

checkpoint firewall gateway is rtr2


...and you need to statically route the IP address of rtr1 and rtr2 you need for BGP multihop peering


Regards,

Dandy

saimbt Thu, 12/20/2007 - 23:36
User Badges:

Bingo... I got the answer....


My boss was saying that upon enabling BGP there is no need for any static routes on the firewall.


In the true sense for every new network getting introduced behind rtr1, I need to manually add the network on the checkpoint pointing towards rtr1.


-Sai.

Danilo Dy Thu, 12/20/2007 - 23:41
User Badges:
  • Blue, 1500 points or more

Hi,


Correct.


I have a similar setup but not using firewall :)


For upstream since its internet, use default route from rtr1 to firewal and from firewall to rtr2 to minimize the change. For downstream since you know the networks that will be added behind rtr1, add them in the firewall to rtr1.


Regards,

Dandy

Actions

This Discussion