dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1163
share rss forum feed


CiscoR

@sky.com

Leased Line with BGP

Hi all,

I wonder if you can help me with this scenario.

My company have just had a leased line installed at their office and with it they have /28 address block. They want to keep their existing firewall in place which serves as the gateway on the internal network.

The problem I have is that the WAN interface IP address is 141.x.x.x (as dictated by our ISP) however our block of /28 addresses is delivered to the circuit using BGP. (These are 83.x.x.x)

You can constantly see in the firewall logs attempts to setup a TCP connection on port 179. So BGP is definitely active from the ISP side. Our firewall does not support the use of BGP.

I have a Cisco 1841 router at my disposal, which I know I could put in front of the firewall and have this speaking BGP, etc. however what I don't want to do is to have to 'double NAT'.

Can any of you good fellows suggest the best way of setting this up or is double NAT going to be the way forward? Is it possible to have the router dealing with BGP put transparently pass the traffic straight on to the firewall?

Thanks in advance



Da Geek Kid

join:2003-10-11
::1
kudos:1

what's wrong with opening the 179 to go thru the firewall so that you could set up BGP inside facing out... and why would you need double NAT. Let the firewall do Firewall things (ACL) and let the router do the nat.



CiscoR

@sky.com

Hi

Ideally they want the firewall to take care of NAT, etc cause it does web filtering, inspection, it's a VPN end point and stuff too and they're wanting to use certain IP addresses in that /28 for certain services that the firewall hosts



battleop

join:2005-09-28
00000
reply to CiscoR

Is this a multi homed circuit? From what you have told us there isn't much of a point in running BGP.
--
I do not, have not, and will not work for AT&T/Comcast/Verizon/Charter or similar sized company.


nosx

join:2004-12-27
00000
kudos:5

Put an internet router in front of the firewall to handle BGP. If you dont have anothe rrouter, configure an internet VRF on your current router and do the same with the firewall in the middle of a VRF sandwich.



TomS_
Git-r-done
Premium,MVM
join:2002-07-19
London, UK
kudos:5
reply to CiscoR

said by CiscoR :

what I don't want to do is to have to 'double NAT'.

You dont have to.

1841 sits connected to the leased line on the 141.x.x.x IP, and does BGP with your provider. They send you a default route, you send them the /28.

Then, configure the /28 on another interface of the 1841 that connects to the firewall.

The firewall can live inside the /28, where you can do 1:1 mappings etc.


tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1
reply to nosx

said by nosx:

... sandwich.

mmmm. saaaaannnnddddwiiiiicchhhhhh.

;-P

q.

nosx

join:2004-12-27
00000
kudos:5

Id call it a VRF taco but you might get offended tubby ;P


HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to CiscoR

said by CiscoR :

Our firewall does not support the use of BGP.

Dare I ask the make / model of firewall this is that does web filtering, inspection and VPN... but not BGP?

said by CiscoR :

Can any of you good fellows suggest the best way of setting this up or is double NAT going to be the way forward? Is it possible to have the router dealing with BGP put transparently pass the traffic straight on to the firewall?

Depends on a couple of factors, the ones I can thnk of off the top of my head :

a) how many useable addresses in the 141.x.x.x range do you have to use, besides the one currently used on your firewall's WAN interface?
b) is the above firewall only have two interfaces / zones?
c) what addressing scheme is being used on the firewall's LAN interface(s)?
d) is the addressing of the 83.x.x.x hosts planned to use NAT'ing on the firewall or directly addressed on the end hosts themselves?

Best case scenario : if the 141.x.x.x range has multiple useable addresses, the 83.x.x.x range will be addressed thru NAT
and internal addressing is using RFC1918, the 1841 could easily be dropped in to only talk BGP and not have to
do NAT.

The middle case I can think of is where you have two or more 141.x.x.x addresses to use; one is left on the existing
firewall itself, another is used to address a loopback / management interface on a 3560 or 3750 series layer3 switch,
which is how you talk BGP back to the ISP. That way you have the flexibility to put the 83.x.x.x hosts onto the switch
itself, or behind the firewall and NAT'd as your needs dictate.

Other thing you should keep in mind is how big a BGP table you will be taking from the ISP; is it only the 141.x.x.x
and 83.x.x.x ranges, or will it be more? If more, make sure your RAM on whatever device you use is scaled
appropriately.

My 00000010bits.

Regards

aryoba
Premium,MVM
join:2002-08-22
kudos:4

2 edits
reply to CiscoR

As others have mentioned, there is no need to run double NAT just because you use an Internet router and Internet firewall combo. You can even run no NAT with those two equipments if the requirement calls for it.

One standard practice used by many organizations is set a router in front of a firewall where the router (in this case the 1841) connects directly to the ISP for WAN subnet assigned by them. Simply assign the WAN IP address to the router and establish BGP routing with your ISP to receive a default route from them (or to receive full/partial routes from them depending on your agreement). You also need to advertise the /28 subnet via BGP towards the ISP.

To use the firewall. the router also connects directly to the firewall's untrust zone (or security level 0 in Cisco ASA) for the /28 LAN subnet assigned by the ISP. Assign one IP address for the router, one IP address for the untrust zone firewall interface, one IP address for Internet access (PAT), and use the rest of the IP address for static IP addresses of your servers (or as you may call it the certain services your company wants to have).

In other words, only the firewall does PAT/NAT and basic routing between the router and your internal LAN. The router does BGP with the ISP and does not do PAT/NAT. The untrust zone firewall interface IP address is used for your VPN end point. The router IP address is used for BGP relationship and the router management.

There are sample configurations in this forum's FAQ that you can review using Cisco router and Cisco firewall as illustrations, though they are applicable to any router and any firewall make and model. Please go through all of them for ideas and clarification. Here is one of them.

»Cisco Forum FAQ »Setting Up Network With ISP WAN and Public IP Block subnets running NAT