Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

passing BGP thru a Checkpoint firewall

I have the following scenario

rtr1 --- checkpt -- rtr2 ---rtr3

We want to run bgp with private AS between rtr1 and rtr2 and public AS between rtr2 and rtr3

If I open TCP port 179 on the checkpt firewall, BGP between rtr1 and rtr2 would begin.

should I add a static route on the checkpt firewall for the networks behind the rtr1.

how will redistribution work betn the private AS and public AS?

-Sai.

7 REPLIES

Re: passing BGP thru a Checkpoint firewall

Hi,

That would be BGP multihop, checkpoint firewall will act as a hop router.

rtr1 gateway is checkpoint firewall

checkpoint firewall need a route of network behind rtr1 to rtr1

checkpoint firewall gateway is rtr2

http://www.cisco.com/warp/public/459/32.html

Why would you like to have BGP peering between rtr1 and rtr2? Are you using public ip behind rtr1? Would'nt it be much easier to use static routing?

Regards,

Dandy

New Member

Re: passing BGP thru a Checkpoint firewall

Hi Dandy,

thanks for the quick one.

We dont want manual intervention, hence we want dynamic routing between rtr1 and rtr2.

BGP has been thought for better route selection options.

-Sai.

Re: passing BGP thru a Checkpoint firewall

Hi,

I hope there's no BGP from rtr1 to internet as you will encounter asymmetric and checkpoint will drop it since its not stateful.

BTW, in which platform your checkpoint is running? Nokia/IPSO can run BGP/OSPF/RIP.

Regards,

Dandy

New Member

Re: passing BGP thru a Checkpoint firewall

Dandy,

there is no internet from rtr1.

I am running Checkpt on Nortel Alteon. it does support BGP/OSPF/RIP.

My question is once the BGP peering is formed between rtr1 and rtr2, for every network behind rtr1 a reverse static route needs to be added on the checkpt pointing towards rtr1 and for all forward routes a route needs to be added on the checkpt pointing towards rtr2

-Sai

Re: passing BGP thru a Checkpoint firewall

Hi,

Just follow the same...

rtr1 gateway is checkpoint firewall

checkpoint firewall need a route of network behind rtr1 to rtr1

checkpoint firewall gateway is rtr2

...and you need to statically route the IP address of rtr1 and rtr2 you need for BGP multihop peering

Regards,

Dandy

New Member

Re: passing BGP thru a Checkpoint firewall

Bingo... I got the answer....

My boss was saying that upon enabling BGP there is no need for any static routes on the firewall.

In the true sense for every new network getting introduced behind rtr1, I need to manually add the network on the checkpoint pointing towards rtr1.

-Sai.

Re: passing BGP thru a Checkpoint firewall

Hi,

Correct.

I have a similar setup but not using firewall :)

For upstream since its internet, use default route from rtr1 to firewal and from firewall to rtr2 to minimize the change. For downstream since you know the networks that will be added behind rtr1, add them in the firewall to rtr1.

Regards,

Dandy

569
Views
10
Helpful
7
Replies