ISP Redundancy with one external VLAN

[davece]

The external interface on the firewall (SPLAT, NGX R60) is connected to a switch to which two routers are connected.

The two routers and the firewall external interface are all in one vlan. IP wise, like this:

FW-Ext: 10.1.1.50/24
Router1: 10.1.1.100/24
Router2: 10.1.1.200/24

I would like to be able to use ISP Redunancy in either Load Balancing or Primary/Failover with the two routers. I realize I will have use the ping option to test for failure. Can ISP Redunancy work like this?

[Sergej]

I suppose it is better to do NAT on the same firewall, but not on the external devices like you. This will lower the management overhead.
I decide that you do not nat on the firewall, because you using 10.x.x.x addresses in you sample.

[davece]

I used fake IP addresses in the initial post. Yes, we will be doing NAT on the internal addresses. To continue the example,

FW internal interface: 192.168.1.1

We will NAT 192.168.1.0/24 addresses to 10.1.1.30.

[sdesse]

Hi,

I have the same situation.
(IP adresse are sample)

My webserver 192.168.1.10 si nater on the outise interface with 195.100.100.10 IP address. On the external side I have one interface in the 195.100.100.0/24 network.

My gateways are 195.100.100.254 and 195.100.100.253. Inbound trafic is achemined through the firs 195.100.100.254 gateway (no BGP).

I want outboud replies redundancy et load balancing keeping same sessions on the same gateway.

As inbound connections are incoming from the same subnet I don't know if ISP redundancy is able to share load across two routers.

In this context Checkpoint ISP redundancy is not documented.

I'm interested in feedback on how FW is functionning with the how gateways in the same subnet and what should I care during implementation.

Thanks for your help.

Regards,

Sebastien

[jmcgrady]

I am doing the same kind of thing and am interested in replies.

[Porter]

as already mentioned in other threads here:

the only way to realize loadshared incoming with CP is to have your external dns behind your firewall and setup the dns proxy on your gws

short info from the documentation:
--------------------------------------
How the DNS Proxy Works

In Load sharing mode, VPN-1 Pro responds to DNS queries with two IP addresses if both ISP Links are active, or with one ISP address, if only one ISP link is active.
---------------------------------------

DNS Server Configuration for Incoming Connections

The following procedure configures VPN-1 Pro to:

Intercept DNS queries to your web server that arrive at the VPN-1 Pro external interfaces, and

Respond to them with 192.168.1.2 and 172.16.2.2.

Proceed as follows:

5 In the ISP Redundancy window, DNS Proxy tab, check Enable DNS proxy.

6 VPN-1 Pro responds to DNS queries with either one or two IP addresses, depending on the status of the ISP link and on the Redundancy mode. To configure this behavior, map each server name to an IP address pair. In the DNS Proxy tab, click Add....

Type a Host name (such as www.example.com)

Add an IP address in ISP-1 (such as. 192.168.1.2) and address for ISP-2 (such as 172.16.2.2).

7 It is important to ensure that DNS servers in the Internet do not store out-of-date address information. Each DNS reply has a Time To Live (TTL) field which indicates to the recipients of the reply how long the information in the reply may be cached. By default, VPN-1 Pro replies with a TTL of 15 seconds. This can be changed in the DNS TTL field.

[sateesh123]

Hi
pls help me and give me solution

currently i m trying checkpoint NZX ,secure platform with same setup . but experiencing problem.
i have natted one host such as dmz (10.10.10.2 ie webserver) with extenal ISP-1 (such as. 192.168.1.2) and ISP-2 (such as 172.16.2.2).
with Both IP such as ISP-1 (192.168.1.2) and ISP-2 ( 172.16.2.2). i am able to login webpage .
and and but by using a Host name (such as www.example.com) i can get either page or some time do not get .

when i made ISP 2 (VSNL) down & ISP 1 (up) i can get either page or do not get .and but when i made ISP 1(bharti) Down and ISP2 up, I could not get webpage.
and by using nslookup command some time i get both natted ip or do not get.