[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] How to connecto to 2 ISP's? - using one Checkpoint VPN /Firewall
To summarize, you're planning to connect pipes from 2 ISPs into your firewall, with the 3rd NIC going to the LAN. Yes, it's physically possible, but it may not give you the 'redundancy' many think they have when they implement this kind of setup. If your purpose is to allow a backup route to the Internet in case ISP #1's connection fails, well, I suppose you have that. Suppose ISP #1 goes down. You then have to go to your firewall and change its default route to shove everything over the pipe to ISP #2. This works great for outbound traffic. However, if you have *any* inbound traffic you have only resolved half the problem. Suppose ISP #1 has you on (using private net addresses for example-- we all know that in the real world they're public) 192.168.34.0/24 and ISP #2 has you on 10.4.4.0/24. All of the folks trying to contact you are probably pointing at 192.168.34.x to get to the devices behind your firewall-- mail server, web server, etc. ISP #1 goes down. You switch your firewall's routes to shove everything out of 10.4.4.x. The rest of the world is still trying to talk to 192.168.34.x, which all comes in through ISP #1 (which is down). As a result, they can't reach you. You still have a problem. This is what BGP is all about. BGP is designed to deal with rerouting traffic. However, for it to be any good to you, you have to have a router running BGP at your end, and you have to have arrangements to have it talk to the BGP routers at each ISP so that all those attempts to talk to 192.168.34.x get rerouted to your firewall's address on 10.4.4.x. The DNS-based solutions (in lieu of BGP) sound good in theory, but as noted, they don't help with situations where Box X on the outside is trying to talk to a specific IP address rather than a DNS name. It's an ingenious solution, but also a partial one. This is most notably a problem when it comes to IPSec VPNs, where the endpoints are specified by IP address, not DNS name. -----Original Message----- From: Raymond Hoffman [mailto:[email protected]] Sent: Monday, June 03, 2002 4:52 PM To: [email protected] Subject: Re: [FW-1] How to connecto to 2 ISP's? - using one Checkpoint VPN/Firewall Hi folks, I have been reading with quite an interest with the ongoing thread. I am new to all this and had joined this list for understanding a (im)pending installation for this location to connect with an international network which also is being installed. All sites are with the Checkpoint VPN/firewall. I have been told to prepare the CPU with 3 network cards, one for our LAN and two for the ISP's and to obtain the ISP's. Later someone will be coming to finish the installation of Checkpoint and all. For your information, the CPU will have Windows 4.0SP6 and will be connected to a Windows 2000 LAN in mixed mode. Is this feasible/doable? Any precautions I should consider before getting the two providers? Thanks, Raymond At 15:54 03-06-2002 +0200, you wrote: >Howdy, > >for a moment we taught our ISP went bankrupt last week. Fortunately >this turned out not to be the case, however this kind of woke up upper >management :-). So I'm now investigating how to use 2 ISP's for our >Internet connection. Anybody any experience with this? Any links to >usefull info? Is this something that should be solved on the firewall >level or will some router magic do the trick? > >Thanks in advance, > >Nico > >--------------------------------------------------------- > "It has been said that there are only two businesses that > refer to customers as users: illegal drug trade and > the computer industry." >--------------------------------------------------------- -------------------------------------------------------------- Raymond Hoffman [email protected] News World Argentina S.A. http://www.tdm.com "Tiempos del Mundo" - el periódico de las Americas Bartolomé Mitre 760, Piso 2 C1036AAN Buenos Aires, Capital Federal Argentina Tel: (54-11) 4345-7300 int. 301 Fax: (54-11) 4345-6777 ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|