passing BGP thru a Checkpoint firewall

Unanswered Question
Dec 20th, 2007

I have the following scenario

rtr1 --- checkpt -- rtr2 ---rtr3

We want to run bgp with private AS between rtr1 and rtr2 and public AS between rtr2 and rtr3

If I open TCP port 179 on the checkpt firewall, BGP between rtr1 and rtr2 would begin.

should I add a static route on the checkpt firewall for the networks behind the rtr1.

how will redistribution work betn the private AS and public AS?

-Sai.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Danilo Dy Thu, 12/20/2007 - 22:18

Hi,

That would be BGP multihop, checkpoint firewall will act as a hop router.

rtr1 gateway is checkpoint firewall

checkpoint firewall need a route of network behind rtr1 to rtr1

checkpoint firewall gateway is rtr2

http://www.cisco.com/warp/public/459/32.html

Why would you like to have BGP peering between rtr1 and rtr2? Are you using public ip behind rtr1? Would'nt it be much easier to use static routing?

Regards,

Dandy

saimbt Thu, 12/20/2007 - 22:27

Hi Dandy,

thanks for the quick one.

We dont want manual intervention, hence we want dynamic routing between rtr1 and rtr2.

BGP has been thought for better route selection options.

-Sai.

Danilo Dy Thu, 12/20/2007 - 22:32

Hi,

I hope there's no BGP from rtr1 to internet as you will encounter asymmetric and checkpoint will drop it since its not stateful.

BTW, in which platform your checkpoint is running? Nokia/IPSO can run BGP/OSPF/RIP.

Regards,

Dandy

saimbt Thu, 12/20/2007 - 23:10

Dandy,

there is no internet from rtr1.

I am running Checkpt on Nortel Alteon. it does support BGP/OSPF/RIP.

My question is once the BGP peering is formed between rtr1 and rtr2, for every network behind rtr1 a reverse static route needs to be added on the checkpt pointing towards rtr1 and for all forward routes a route needs to be added on the checkpt pointing towards rtr2

-Sai

Danilo Dy Thu, 12/20/2007 - 23:32

Hi,

Just follow the same...

rtr1 gateway is checkpoint firewall

checkpoint firewall need a route of network behind rtr1 to rtr1

checkpoint firewall gateway is rtr2

...and you need to statically route the IP address of rtr1 and rtr2 you need for BGP multihop peering

Regards,

Dandy

saimbt Thu, 12/20/2007 - 23:36

Bingo... I got the answer....

My boss was saying that upon enabling BGP there is no need for any static routes on the firewall.

In the true sense for every new network getting introduced behind rtr1, I need to manually add the network on the checkpoint pointing towards rtr1.

-Sai.

Danilo Dy Thu, 12/20/2007 - 23:41

Hi,

Correct.

I have a similar setup but not using firewall :)

For upstream since its internet, use default route from rtr1 to firewal and from firewall to rtr2 to minimize the change. For downstream since you know the networks that will be added behind rtr1, add them in the firewall to rtr1.

Regards,

Dandy

Actions

This Discussion