On Fri, Jun 12, 2009 at 4:11 PM, Ogos Sixtynine<[email protected]> wrote: > Assuming that I move the current outside address OFF > of the cluster to the BGP router that faces that ISP, that will kill all the > VPNs.
What are you moving where? Do you currently have a router? Or is there no router at all (such as a cablemodem type setup that terminates on your firewall). Do you get to keep the IP's from the first provider and advertise them out both? Or are those IP's going away? Provide some sample IP's and at least crude diagrams on how you're currently set up. > Now VPNs are terminating to the fw cluster, after the change will be > terminating to BGP router. Not sure why you think you have to move these IP's out, unless there's no router in your current scenario. > Another assumption, in this scenario, is that I may have to do NAT at the BGP > router the External IP > address to the new IP address of the firewall cluster. > Is that a correct assumption? No. In this scenario, let your firewall NAT. I would suggest against doing any NATting at your BGP routers. > Would VPNs will actually works with a Checkpoint Firewall Cluster interface > that is being translated and > not be the a REAL IP address? Probably, but you shouldn't have to find out. > We are trying to find a solution that minimize any kind of downtime while we > enable the 2nd Internet connection, > without have to reconfigures all our VPNs and FW cluster at same time...but > over an extended period of time. > Additinally the first ISP will be terminated....at a later date due to some > decision outside my responsabilities. Why are you terminating the first ISP? Isn't that negating the idea behind the whole project? I think we need more details. For BGP, what prefixes are you going to advertise? I don't need to know specifics, but which ISP is providing them? Are they in use now? How big an allocation is it/are they? Then, use some sample IP's and subnets to describe how you're currently connected. I can envision several scenarios where you'd be SOL about not having to reconfigure your VPN's, but the more common setup would seem to be one where you can avoid it. We'll need details on your specific implementation. Fred Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
