Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] How to connecto to 2 ISP's? - using one Checkpoint VPN /Firewall

To: [email protected]
Subject: Re: [FW-1] How to connecto to 2 ISP's? - using one Checkpoint VPN /Firewall
From: Russell Washington <[email protected]>
Date: Tue, 4 Jun 2002 08:40:21 -0700
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

To summarize, you're planning to connect pipes from 2 ISPs into your
firewall, with the 3rd NIC going to the LAN.  Yes, it's physically possible,
but it may not give you the 'redundancy' many think they have when they
implement this kind of setup.

If your purpose is to allow a backup route to the Internet in case ISP #1's
connection fails, well, I suppose you have that.  Suppose ISP #1 goes down.
You then have to go to your firewall and change its default route to shove
everything over the pipe to ISP #2.  This works great for outbound traffic.

However, if you have *any* inbound traffic you have only resolved half the
problem.  Suppose ISP #1 has you on (using private net addresses for
example-- we all know that in the real world they're public) 192.168.34.0/24
and ISP #2 has you on 10.4.4.0/24.  All of the folks trying to contact you
are probably pointing at 192.168.34.x to get to the devices behind your
firewall-- mail server, web server, etc.  ISP #1 goes down.  You switch your
firewall's routes to shove everything out of 10.4.4.x.  The rest of the
world is still trying to talk to 192.168.34.x, which all comes in through
ISP #1 (which is down).  As a result, they can't reach you.  You still have
a problem.

This is what BGP is all about.  BGP is designed to deal with rerouting
traffic.  However, for it to be any good to you, you have to have a router
running BGP at your end, and you have to have arrangements to have it talk
to the BGP routers at each ISP so that all those attempts to talk to
192.168.34.x get rerouted to your firewall's address on 10.4.4.x.

The DNS-based solutions (in lieu of BGP) sound good in theory, but as noted,
they don't help with situations where Box X on the outside is trying to talk
to a specific IP address rather than a DNS name.  It's an ingenious
solution, but also a partial one.  This is most notably a problem when it
comes to IPSec VPNs, where the endpoints are specified by IP address, not
DNS name.

-----Original Message-----
From: Raymond Hoffman [mailto:[email protected]]
Sent: Monday, June 03, 2002 4:52 PM
To: [email protected]
Subject: Re: [FW-1] How to connecto to 2 ISP's? - using one Checkpoint
VPN/Firewall

Hi folks,

I have been reading with quite an interest with the ongoing thread.

I am new to all this and had joined this list for understanding a
(im)pending installation for this location to connect with an international
network which also is being installed.  All sites are with the Checkpoint
VPN/firewall.

I have been told to prepare the CPU with 3 network cards, one for our LAN
and two for the ISP's and to obtain the ISP's.  Later someone will be
coming to finish the installation of Checkpoint and all.  For your
information, the CPU will have Windows 4.0SP6 and will be connected to a
Windows 2000 LAN in mixed mode.

Is this feasible/doable? Any precautions I should consider before getting
the two providers?

Thanks,

Raymond

At 15:54 03-06-2002 +0200, you wrote:

>Howdy,
>
>for a moment we taught our ISP went bankrupt last week. Fortunately
>this turned out not to be the case, however this kind of woke up upper
>management :-). So I'm now investigating how to use 2 ISP's for our
>Internet connection. Anybody any experience with this? Any links to
>usefull info? Is this something that should be solved on the firewall
>level or will some router magic do the trick?
>
>Thanks in advance,
>
>Nico
>
>---------------------------------------------------------
>  "It has been said that there are only two businesses that
>   refer to customers as users: illegal drug trade and
>                the computer industry."
>---------------------------------------------------------

--------------------------------------------------------------
Raymond Hoffman                         [email protected]
News World Argentina S.A.                       http://www.tdm.com
"Tiempos del Mundo" - el periódico de las Americas
Bartolomé Mitre 760, Piso 2
C1036AAN Buenos Aires, Capital Federal
Argentina
Tel: (54-11) 4345-7300 int. 301        Fax: (54-11) 4345-6777

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: [FW-1] Filtering incoming SMTP "from" your domain via SS
Next by Date: Re: [FW-1] Static NAT Question
Previous by thread: Re: [FW-1] Filtering incoming SMTP "from" your domain via SS
Next by thread: Re: [FW-1] How to connecto to 2 ISP's? - using one Checkpoint VPN /Firewall
Index(es):
- Date
- Thread