[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 626
  • Last Modified:

2 ISP's and 1 Firewall

ISP 1 provides a T1 connection with a subnet x.x.x.0 /24 with a 2600 series router

ISP 2 provides ethernet hand off to internet ( 5 meg ) with a x.x.x /24 subnet with a 2600 series router

Nothing is configured between the ISP's meaning NO BGP & NO HSRP

we have only one firewall ( checkpoint ) with one external interface and 2 internal interfaces.

How can this firewall be configured to sit behind these two ISP routers and support local area network with web and mail server.

Do we need any additional hardware ?

Please provide me the best solution for this ..
Thanks in advance
0
dejones44
Asked:
dejones44
  • 3
  • 2
  • 2
  • +2
4 Solutions
 
ECNSSMTCommented:
dejones44,

To start from the bottom, yes, you will need another nic card.  In order to support both networks, checkpoint will need a second nic card to support the second external network.  In checkpoint, you will mark this as an external interface.

To support web and email, you will need to do two things.  Assuming you have one email server and want both ISP's to deliver email.   Setup your MX record in DNS with both external interfaces with the same weight.  If you have a perfered network, give it a lower MX number than the other other network.  Do the same for your web pages.

In checkpoint, you can specify your Web and SMTP server for inbound connections.  This will redirect all external connections on ports 25, 80, and 443 to the internal servers you setup.  You can also use one of the internal networks to segment off your web and SMTP gateways.  This will create your DMZ.  Allow any connections from the other internal network to the DMZ network.

Setup the internal network with whatever you want to be allowed out to both networks in Checkpoint.

ECNSSMT
0
 
dejones44Author Commented:
Thanks for the quick suggestion !

Could you please explain in detail about the connectivity from the isp routers to the checkpoint  with the hardware needed ?

Do we need any special license for the firewall to have TWO external Interfaces ?

I guess we just have a standard license to support 100 ip addresses

I have two internal networks ( 192.168.20.0 /24 and 192.168.40/24 )

I undertsand the lowest mx reord will have the highest priority but how would define the priority for a website ?


0
 
Danny_LaroucheCommented:
Most corporate class firewall have 2 wan interfaces and can deal with the two cisco2600. Since your firewall only have 1 wan interface, verify if you can add a wan module on it or use another firewall equipment.

Second option is to use either cisco 2600 to handle the 2 connection. This model support multiple wan module to build a redundant link.

For the WEB server, there is no dns mechanism similar to mx. You have to define multiple host record in the DNS zone that point to IP address on each side (ISPs). Thoses address will be reached in a  round-robin order for incoming connection. Without BGP for your address block, you cannot have a fully redundant WEB services as for SMTP.

0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
rsivanandanCommented:
I would try to see if both the connections can be terminated on one 2600 router and do load balancing + failover there. These things are done better at the networking devices. That way you don't have to do anything on the CheckPoint side.

Cheers,
Rajesh
0
 
carrido13Commented:
I would do an I-BGP between both routers and E-BGP to the ISP's. Since you are dealing with /24 subnets this will not be an issue. This will not need any additional hardware or software and also you don't need to reconfigre any gateways or metrics on any of your servers. If properly plannned this whole configuration can be implemented in less than 2 hours without any downtime.

Regards,
Walter
0
 
dejones44Author Commented:
Cisco folks confirmed that the PIX and ASA firewalls do not have the option for two wan interfaces.
Haven't heard from checkpoint and i am not sure how to proceed on this.
0
 
rsivanandanCommented:
Yes, thatz why I was pointing to do the aggregation + load balancing at the router level and let PIX handle only one ip address.

Cheers,
Rajesh
0
 
dejones44Author Commented:
load balance and failover on one router !
0
 
carrido13Commented:
yes you can use one router for both load balancing and failover, however since you have 2 routers its always adviceable to use 2 routers.

Walter
0
 
Danny_LaroucheCommented:
Fortinet, juniper and Sonicwall have dual wan with load balancing / fail over
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now