Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

BGP Through Checkpoint Firewall.

Help,

In preparation for a new ISP connection I have setup a router to ensure connectivity to our new ISP. The routers are working the BGP session established and the default route delivered from the ISP.

Now, what I'm trying to do is take the router behind a CheckPoint (R70.3 on SPLAT) and establish the BGP session. I am using Network Adress Translation on the firewall to tanslate the internal router address to the expected neighbor address the ISP is expecting.

I can ping from the internal router to the External gateway and the BGP Neighbor. However the BGP session will not establish. I see a BGP request go out and also request come in from the ISP's router but it does not establish.

When it was working ie testing from a router externally I hade the ebgp-multihop to 2  I am assuming this would stay the same internally.

Any pointers would be greatly appreciated.

P.

Everyone's tags (3)
6 REPLIES

Re: BGP Through Checkpoint Firewall.

BGP uses TCP to create/establish neighbors - allow TCP 179 thru the firewall and increase your multihop to 3

HTH>

New Member

Re: BGP Through Checkpoint Firewall.

The BGP rule is there for TCP connectivity on Port 179. The internal router is only reaching the OpenConfirm state which would suggest traffic has been passed in both directions?

So close I know it.

P.

Re: BGP Through Checkpoint Firewall.

Sounds to me like the internal router is waiting for a reply - what does the log show in the CP firewall? Can you see the reply from the external BGP speaker? Check the NAT address is correct?

Silver

Re: BGP Through Checkpoint Firewall.

To get a BGP session to work through an ASA we must disable ‘TCP random sequence numbers’; perhaps something similar is happening with the checkpoint.

If you are using an MD5 has with your BGP session that also has to be accounted for in the ASA by allowing a specific TCP option; not sure if the checkpoint is also intrusive in that regard.



Chris

New Member

Re: BGP Through Checkpoint Firewall.

Hi,

that sounds about right, I am getting:

%TCP-6-BADAUTH: Invalid MD5 digest from x.x.x.x(15555) to x.x.x.x(179)

Passwords are correct as this has been checked by testing with the firewall out of the equation.

Will see what checkpoint have to offer on this problem.

P.

New Member

Re: BGP Through Checkpoint Firewall.

Problem resolved by not using NAT. appears that the IP address
Source & destination are used somewhere in the MD5 computation. All working now but had to find out the hardwat just lucky that our ISP is very accomodating.

P.

5591
Views
0
Helpful
6
Replies
CreatePlease to create content