BGP Through Checkpoint Firewall.

Unanswered Question
Jun 11th, 2010


In preparation for a new ISP connection I have setup a router to ensure connectivity to our new ISP. The routers are working the BGP session established and the default route delivered from the ISP.

Now, what I'm trying to do is take the router behind a CheckPoint (R70.3 on SPLAT) and establish the BGP session. I am using Network Adress Translation on the firewall to tanslate the internal router address to the expected neighbor address the ISP is expecting.

I can ping from the internal router to the External gateway and the BGP Neighbor. However the BGP session will not establish. I see a BGP request go out and also request come in from the ISP's router but it does not establish.

When it was working ie testing from a router externally I hade the ebgp-multihop to 2  I am assuming this would stay the same internally.

Any pointers would be greatly appreciated.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ewenpa Fri, 06/11/2010 - 05:56

The BGP rule is there for TCP connectivity on Port 179. The internal router is only reaching the OpenConfirm state which would suggest traffic has been passed in both directions?

So close I know it.


gatlin007 Fri, 06/11/2010 - 08:57

To get a BGP session to work through an ASA we must disable ‘TCP random sequence numbers’; perhaps something similar is happening with the checkpoint.

If you are using an MD5 has with your BGP session that also has to be accounted for in the ASA by allowing a specific TCP option; not sure if the checkpoint is also intrusive in that regard.


ewenpa Mon, 06/14/2010 - 02:43


that sounds about right, I am getting:

%TCP-6-BADAUTH: Invalid MD5 digest from x.x.x.x(15555) to x.x.x.x(179)

Passwords are correct as this has been checked by testing with the firewall out of the equation.

Will see what checkpoint have to offer on this problem.


ewenpa Tue, 06/29/2010 - 09:14

Problem resolved by not using NAT. appears that the IP address
Source & destination are used somewhere in the MD5 computation. All working now but had to find out the hardwat just lucky that our ISP is very accomodating.



This Discussion

Related Content