cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1820
Views
10
Helpful
7
Replies

passing BGP thru a Checkpoint firewall

saimbt
Level 1
Level 1

I have the following scenario

rtr1 --- checkpt -- rtr2 ---rtr3

We want to run bgp with private AS between rtr1 and rtr2 and public AS between rtr2 and rtr3

If I open TCP port 179 on the checkpt firewall, BGP between rtr1 and rtr2 would begin.

should I add a static route on the checkpt firewall for the networks behind the rtr1.

how will redistribution work betn the private AS and public AS?

-Sai.

7 Replies 7

Danilo Dy
VIP Alumni
VIP Alumni

Hi,

That would be BGP multihop, checkpoint firewall will act as a hop router.

rtr1 gateway is checkpoint firewall

checkpoint firewall need a route of network behind rtr1 to rtr1

checkpoint firewall gateway is rtr2

http://www.cisco.com/warp/public/459/32.html

Why would you like to have BGP peering between rtr1 and rtr2? Are you using public ip behind rtr1? Would'nt it be much easier to use static routing?

Regards,

Dandy

Hi Dandy,

thanks for the quick one.

We dont want manual intervention, hence we want dynamic routing between rtr1 and rtr2.

BGP has been thought for better route selection options.

-Sai.

Hi,

I hope there's no BGP from rtr1 to internet as you will encounter asymmetric and checkpoint will drop it since its not stateful.

BTW, in which platform your checkpoint is running? Nokia/IPSO can run BGP/OSPF/RIP.

Regards,

Dandy

Dandy,

there is no internet from rtr1.

I am running Checkpt on Nortel Alteon. it does support BGP/OSPF/RIP.

My question is once the BGP peering is formed between rtr1 and rtr2, for every network behind rtr1 a reverse static route needs to be added on the checkpt pointing towards rtr1 and for all forward routes a route needs to be added on the checkpt pointing towards rtr2

-Sai

Hi,

Just follow the same...

rtr1 gateway is checkpoint firewall

checkpoint firewall need a route of network behind rtr1 to rtr1

checkpoint firewall gateway is rtr2

...and you need to statically route the IP address of rtr1 and rtr2 you need for BGP multihop peering

Regards,

Dandy

Bingo... I got the answer....

My boss was saying that upon enabling BGP there is no need for any static routes on the firewall.

In the true sense for every new network getting introduced behind rtr1, I need to manually add the network on the checkpoint pointing towards rtr1.

-Sai.

Hi,

Correct.

I have a similar setup but not using firewall :)

For upstream since its internet, use default route from rtr1 to firewal and from firewall to rtr2 to minimize the change. For downstream since you know the networks that will be added behind rtr1, add them in the firewall to rtr1.

Regards,

Dandy

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: