Thread: ISP Redundancy and routed public networks
View Single Post
  #3 (permalink)  
Old 2007-09-18
mcnallym mcnallym is offline
Senior Member
  
Join Date: 2007-06-04
Posts: 1,062
Rep Power: 3
mcnallym has an average reputation (10+)
Default Re: ISP Redundancy and routed public networks
To allow statically translated hosts in an ISP redundancy configuration for open outgoing connections, use the following procedure. Assume that an internal host has an internal IP address, as well as one valid IP address from the address space of each Internet Service Provider (ISP). Use the following notation:
HOST_INTERNAL - the internal IP address of the host
HOST_VALID_A - the valid address of the host from ISP_A (the first ISP)
HOST_VALID_B - the valid address of the host from ISP_B (the second ISP)

On the SmartCenter Server:

Define two dynamic objects: DYN_ISP_A and DYN_ISP_B

Define an object with the IP address of HOST_INTERNAL.

Define an object with the IP address of HOST_VALID_A.

Define an object with the IP address of HOST_VALID_B.

Define two Manual NAT rules, as follows:
Rule 1
Source=HOST_INTERNAL
Destination=DYN_ISP_A
XlateSRC=HOST_VALID_A
XlateDST=Orig
Rule 2
Source=HOST_INTERNAL
Destination=DYN_ISP_B
XlateSRC=HOST_VALID_B
XlateDST=Orig

On the Security Gateway or cluster (on each cluster member), run cpstop.

On the Security Gateway or cluster (on each cluster member), run the following commands:
dynamic_objects -n DYN_ISP_A
dynamic_objects -n DYN_ISP_B
dynamic_objects -o DYN_ISP_A -r 0.0.0.0 0.0.0.0 -a
dynamic_objects -o DYN_ISP_B -r 0.0.0.0 0.0.0.0 -a
On the Gateway or cluster (on each cluster member), edit $FWDIR/bin/cpisp_update, and add the following lines before the "exit" line:

if ($USE_LINK1 == "1") then
dynamic_objects -o DYN_ISP_A -r 0.0.0.0 255.255.255.255 -a
dynamic_objects -o DYN_ISP_B -r 0.0.0.0 255.255.255.255 -d
dynamic_objects -o DYN_ISP_B -r 0.0.0.0 0.0.0.0 -a
else
dynamic_objects -o DYN_ISP_B -r 0.0.0.0 255.255.255.255 -a
dynamic_objects -o DYN_ISP_A -r 0.0.0.0 255.255.255.255 -d
dynamic_objects -o DYN_ISP_A -r 0.0.0.0 0.0.0.0 -a
endif


On the Gateway or cluster (on each cluster member), run cpstart.

Install the Security Policy on the Gateway/cluster.

Limitation:

In an ISP redundancy Load Sharing configuration, connections originating from HOST_INTERNAL will not be load shared. Instead, they will be routed through the first ISP link, as long as it is active. If the first link fails, outgoing connections from HOST_INTERNAL will be routed through the second ISP link.

In addition to the steps above, you will need to configure the Operating System to answer ARP requests for the manual NAT IPs created above.

For a single firewall, you can configure permanent ARP entries directly in the OS, or on the upstream router, or by using Check Point's $FWDIR/conf/local.arp file.

For clustered firewalls, you will need to use the $FWDIR/conf/local.arp file, for the NATs to persist after a failover.


Is the contents of the knowledgebase article I was referring too for Static NAT.


In order to ensure that the source IP address of Hide Network Address Translation (NAT) connections going out to the secondary ISP is translated to the IP address of the gateway external interface facing the secondary ISP, perform the following procedure from SmartDashboard:

Procedure:


Select Manage > Network Objects.


In the Network Objects dialog box, select the network object containing the source IP address of the Hide NAT connections from the network objects list.


Click 'Edit'.


In the Network Properties dialog box, select the NAT tab.


In the NAT tab, verify that the 'Add Automatic Address Translation rules' checkbox has been checked.


Select the 'Hide behind Gateway' option.


From the 'Install on Gateway' drop-down list, select the network object that represents the gateway that applies the Hide NAT.


Click 'OK' in the Network Properties dialog box.


Click 'Close' in the Network Objects dialog box.


Reinstall the security policy on the Security Gateway, applying Hide Network Address Translation (NAT).


Note:
The 'Help' files in the SmartDashboard recommend the following procedures for configuring Hide NAT for outgoing connections.

To allow outgoing connections via both ISP links, define automatic Hide NAT on network objects that initiate the outgoing connections.

For example, edit the internal_net object. In the General tab of the Network Properties window, select 'Add Automatic Address Translation Rules', Translation Method Hide, and 'Hide behind Gateway'.

After making the configuration modifications above, the source IP address of Hide Network Address Translation (NAT) connections going out to the secondary ISP is translated to the IP address of the gateway external interface facing the secondary ISP.

Is for HideNAT.

ISP Redundancy tends to be quite limited in my opinion and maybe will improve with time however
Reply With Quote