Need: servers always nated from ISPA address space and reachable

[waldi]

NGX R60_03, SPLAT, two ISP providers, ISP redundancy load-balance mode.

Any ideas how to force several servers with static nats set from ISPA address space to pass traffic always via one ISP (ISPA)?
When default gateway is set to ISPA, everything is ok. But when defaultroute will change to ISPB, ISPB will drop traffic to/from ISPA nated servers.
Source routing is not officially supported, but maybe there is easiest and always working way to achieve it?

[Porter]

where's your external dns, behind your gateway or somewhere on the internet?
do you have 2 offical ips inside dns per server, 1 from isp A other from isp B?

[waldi]

Primary dns server is in FW-1 DMZ. It's addressed from ISPA address space.

[Porter]

only one dns from one isp? how does the internet resolve your names when isp a is down?

I think with your current setup the only way to solve the problem would be to use a autonomous system where all your routers a connected to, your basic problem is that isp a does not route ip range from isp b and vice versa

just try this:

* setup second dns inside ip range isp b, let root servers know that you have further dns
* give all needed servers second offical ip from isp b
* setup the dns proxy on fw-1 properly to be able to handle both ip addresses, use low ttl

if isp a is down fw-1 will recognise it and will only reponse with ip-adresses from isp b or vice versa

[waldi]

DNS configuration is not an issue. The problem is routing. All severs nated statically have to be in ISPA address space.
2nd link to Internet is to be used to balance outgoing traffic from internal network.

[Porter]

don't get me wrong but dns is an issue if you want to solve your problem with cp, just read the isp red. setup instructions

[waldi]

Could you point where documentation says that in scenario that was described, DNS setup is a must?
I'd like to underline something that seems to be ommited - when ISPA link is down, servers are to be unaccessible.

[Porter]

Firewall and Smartdefense paper, chapter 5, starts on page 101

before we run into a misunderstanding, of course are your servers unavailable if ips a goes down, to avoid this just setup a second dns in a second offical ip range, that means your webservers will have two ip addresses entered inside dns, resolving is done via round robin, both dns are behind your fw-1, fw-1 dns proxy is configured to handle ip adresses from both ranges for one host, if isp a is down fw-1 will recognise it and will only reponse with ip-adresses from isp b

I understood your setup and needs but with your current setup it won't be possible, you have to change something, either setup the isp red as CP recommends it or do something like autonomous system

[waldi]

I don't want to balance this specific group of servers in ISPA address space - that is what I'm trying to explain from begining of this thread. So that's why dns proxy is not an issue. The only thing I want to achieve is to force traffic from servers addressed by ISPA to go always via ISPA link irrespective of default gateway (which can be set to ISPA - and this is no problem, but also in LB mode it can poin ISPB and THIS is problem).

[Porter]

I thought that your issue is that you want to have the servers routed to isp b while breakdown from isp a, misunderstanding..

if you use LB for outgoing it does not effect incoming traffic, in our case here it doesn't, servers are always reachable via isp a
do you hide those serves behind gateway adress or do you have static
addresses for them?

[jonas.nyquist]

Hi!

I to have some issues with ISP Redundancy but not the same ones. Although, I got this tip from Nokia TAC regarding my problem and it might be somewhat usseful to you. Look at Check Point Secure Knowledgebase article sk25152.

Good luck,

/Jonas