I have a bit of an issue. We have a t1 link form our parent company. Its on a 2621 router. This router is locked down tight.
We are running serveral load balanced firewalls (checkpoint cluster, ISA cluster). I need to add the t1 link into the firewalls DMZ. but in order to do this I need to add a static arp entry on the router so it can see the firewalls. Our parent company will not do this for us, as they want us to be on their LAN. (not happening) So I thought of using OSPF, so on the switch i configured the following:
router ospf 10
network 10.177.0.0 0.0.255.255 area 1
network 10.46.0.0 0.0.255.255 area 1
I am having a hard time receiving the tables from the firewalls. It will not populate any information at all.
I tried seting up routing between them, but again they would need to add a static route back to us.
So I know that NATin the traffic would work, but we dont have an extra router lying around any where. So I tried it in out Linkproof T1 balancer, but it needs to be able to ping the ip address of the router before it can bring up the link to pass traffic. So the firewalls is the onl choice I have that free and fast, and I need high availability through it, thats why I would put them in the load balanced firewalls.
Does any one have any suggestions as to how I can get this to work (painlessly I might add)? Is there a version of an IOS for the 4500 sup4 that can do NAT? Or how can I get the broadcast tables from the firewalls to broadcast to the internal 4500?
Okay, so.... You have:
checkpoint--4500 switch--2621--T1 to corporate
Now, what I'm confused about is this: Are the checkpoint and 2621 on the same ip segment? It appears they aren't, from the problem description you're giving above? And, rather than put them in the same ip address space, you're trying to get the 2621 to forward ip traffic towards the checkpoint although the checkpoint is on a seperate subnet?
You could try and run nat on the switch, but then it becomes a router, not a switch, with one side on the same subnet as the 2621, and the other side on the same subnet as the checkpoint. Why would you need nat if you make the 4500 into a router? It should just route between the two segments.
Could you also put a secondary address on the checkpoint's ethernet side, so it lives in both subnets at the same time?
There's no way to set up routing across mismatch subnets like this, since all of the rp's will catch the mismatched subnet address space and fail to build an adjacency.
Or, maybe, I've totally misread the problem. :-)
The Firewalls and the 2621 are not on the same sgement. Vlan 10 of the 4500 is though on the same as the firewalls.
I wnat to plug it into a seperate "zone" on the forewalls but need to do it by their deticated IP address and not the load balanced address "vip" but I CANT have routes on the 4500 of the following.
ip route 10.177.0.0 255.255.0.0.10.0.16.45
ip route 10.177.0.0 255.255.0.0 10.0.16.46
If the one firewall goes down then it will always route to the first static statement. Thats why I wanted to use OSPF.
Here is an example:
Firewalls (Checkpoint, and ISA)
DMZ Private _ _ _ _ |_ _ _ _ DMZ ( Public address)
GIG Link |
Are you trying to plug the 2621 into the dmz directly, so it's inside your firewalls, or into the outside of the firwalls, so you have a firewall between yourself and the corporate link? Are you running ospf in your network now? Is the 2621 configured to run ospf on it's ethernet interface?
If you're trying to plug the ethernet of the 2621 into the dmz, then just configure the 4500 with one routed interface in the same ethernet segment as the ethernet of the 2621, and the let it route out to the dmz. If you're trying to get the 2621 on the outside of your firewalls, then you would need to route between the ethernet segment on the 2621 and the outside interface of the firewalls, or put out a secondary on the firewalls in the right ip address range to make them talk to the 2621.
The 2621 will be outside the private segment on the firewalls just like it was an internet connection. then the internal lan and then the 4503. I want to run ospf on the 4503 and get the broadcasts from the firewalls.
Hmmm.... I think what you are saying is this:
You have to run the traffic to the corp network onto a seperate zone on the dmz side of the firewalls. This means you can't depend on learning the path to the corp network destinations through the default route, since the default route brings you to the "normal internet traffic zones" on the firewalls.
So, what you want to do is to run a static route to the 2621 off the firewalls (?), but your first problem is getting traffic back from the 2621 into the firewalls, since the 2621 has to know how to reach the nat pools on the firewalls. Is this correct? There's no way around this one, other than to set up a seperate nat pool on the firewalls that put your outbound traffic into the range of addresses the 2621 is expecting, unless they have ospf running on the ethernet interface, and you can get the firewalls to advertise their nat pools to the 2621, and the corp guys to accept that advertisement (they may not want to).
The second problem seems to be that you are trying to run ospf between the 4503 and the firewalls, so you can learn the corp destinations through the correct "zone" from both firewalls. But, this is a two tiered problem, it seems. The first tier is that you have to run sopf from the firewalls to the 4503 to exchange routes there. Not knowing the checkpoint, I can't tell you how to configure that on the checkpoint end, nor if you can adverise just the routes you want. The second is that you have to run ospf from the checkpoint and other firewall to the 2621, and make certain the firewalls will pass the routes through correctly to the 4503. I'm not certain the firewalls will do this.
Is this all a correct description of the problem?
Another option, if it is, might be to run bgp with the corp router, redistributing ospf into and out of bgp on both ends. Then you could use statics on the 4503 to reach the 2621, and a static on the 2621 to reach the 4503, and use a multihop ebgp session, with a hole punched through the firewall, to get the right routing information.
I'm not certain if any of this solves your problem, though.
Correct, and to make things even worse, the managers of the router will not work with us on any settings. They will not change a sigle thing on that router.
So I am stuck with having it in one firewall only and letting the firewall handle all NAT traffic. If that firewall goes down then the link is down.
I know they are not running ospf on the 2621 so even if I gor it to work, the 2621 will not advertise to the firewalls.
guess I am stuck with what I have.
Thanks for your help.
Hmm... Why not put them in the same zone as the internet traffic, so you can use the default route to reach the corporate side networks (can you set up different security preferences on the firewalls based on the destination address, rather than just the zone? It might be harder to administer, but it would solve the problem, perhaps). You could translate into the address range the corp guys gave you based on the destination address--if he destination is in the corp network, then translate the source into one pool. If it's not, translate into another pool.
Then you could connect the outside interface of the firewalls to a routed interface on the 4503, maybe, and the load balancer out to the internet as well. You could set another routed port on the 4503 in the ip address range they want you to use, and connect that to the ethernet side of the 2621.
The problem here is that I can't really draw a picture of what I want. :-) Something like this:
+--router1---2621--to corp network
+--router to internet
Behind both FW's is the 4500, and your DMZ, and such.
So, the processing would look like this:
-- If a firewall receives traffic destined to the corp network, translate it using a pool which makes it look like it originated on the ethernet between router1 and the 2621.
-- If a firewall receives traffic destined to the internet, translate it into your normal public address pool.
-- Follow a static to all corp destinations through router1, which would have a static, or run ospf with, the 2621.
-- Follow the default to all internet destinations.
-- From the 2621, everything looks like it's sourced from just behind it, so the routing from the corp network there is easy, or it should be.
Does this make sense? I don't know the firewalls you're using well enough to know if all of this is possible, but it would be on a pix, so I assume it is there. Router1 is just a couple of routed ports on the 4503.... I think this would work.