How to implement dual isp

Hi,

I hope someone can help me with this situation.

I have just installed 2 Nokia IP380s (ipso 3.8) in a VRRP master/backup configuration. They have Checkpoint NG AI R55 installed. We are just about to receive a second 6mb pipe from another ISP.

I need to be able to assign 2 ip addresses (one from each isp) to a particular host on my DMZ, so that when one ISP becomes unavailable new connections can still be made via the other.

I would like to know how this is configurable in FW1 (or IPSO) and how best to manage the DNS.

I've spent a long time trying to research this and I'm more confused now than I was to start with. Any help is very much appreciated.

Joe

Reply to
Joey D
Loading thread data ...

I should add that we're just about to receive a Big-IP 1000 Application Appliance. This may help things.

Joe

Reply to
Joey D

If you want to do a dual homed Internet feed, the best way to do it is to have your own portable IP address and AS number, so you can do BGP with two ISPs. Then you can implement HSRP inside your network to implement the redundant firewall. There are many details regarding to set up the network.

Reply to
William L. Sun

Hello Joe,

The Nokia appliances are great, but when using two ore more ISP's two or more Stonesoft Stonegate Appliances would have been an easier choise.

Stonesoft is also the company that developed Stonebeat for Checkpoint. Stonesoft's Stonegate is not only a great firewall but it also has the most advanced High Availability, Load Sharing, and Multi ISP support. Load sharing not only between the two or more appliances but also between the ISP's. If an ISP goes down, you still have internet connection.

I think this is were you were looking for.

Ronald Schaper

"Joey D" schreef in bericht news:d1pi7p$b9i$1$ snipped-for-privacy@news.demon.co.uk...

Reply to
Ronald Schaper

Thanks for your reply but unfortunately we don't have the budget for anything else. I was wondering how it could be done with my current configuration (not using BGP).

Joe

Reply to
Joey D

Hi Joe,

If you do not host your web server or application in house for Internet access, the firewall Dual home would work. Because the firewall dual home allow outbound access. However if you do host web servers, if one of your ISP down, then half of the time you web site may not be available suppose that you are using DNS round robin.

Reply to
William L. Sun

Joey D ( snipped-for-privacy@hotmail.com) wrote: : Thanks for your reply but unfortunately we don't have the budget for : anything else. : I was wondering how it could be done with my current configuration (not : using BGP).

: Joe

: >

: >> I hope someone can help me with this situation. : >>

: >> I have just installed 2 Nokia IP380s (ipso 3.8) in a VRRP master/backup : >> configuration. They have Checkpoint NG AI R55 installed. : >> We are just about to receive a second 6mb pipe from another ISP. : >>

: >> I need to be able to assign 2 ip addresses (one from each isp) to a : >> particular host on my DMZ, so that when one ISP becomes unavailable new : >> connections can still be made via the other. : >>

: >> I would like to know how this is configurable in FW1 (or IPSO) and how : > best : >> to manage the DNS. : >>

: >> I've spent a long time trying to research this and I'm more confused now : >> than I was to start with. Any help is very much appreciated. : >>

: >> Joe : >>

: >>

: >

: >

See if that version of IPSO supports ISP redundancy. I know it is supported in Linux and SPLAT but I am not sure if support has made it to IPSO. I seem to remember reading that one of the newer IPSOs had added the support but cannot find definitive statements.

From the literature

ISP Redundancy

Companies are more and more dependent on their Internet Service Providers (ISP) to conduct businesses over the Internet. To ensure business continuity, customers seek can use multiple ISPs to reduce the risks of a single ISP failure.

Check Point ISP Redundancy enables reliable Internet connectivity, by allowing a single or clustered VPN-1 Gateway(s) to connect to the Internet via redundant ISP connections. As part of standard VPN-1 installation, ISP Redundancy offers three modes of operation:

1) Primary/Backup 2) Load Sharing 3) Primary/Dial-up

Primary/Backup mode connects to an ISP through the primary link, and switches to a backup ISP if the primary ISP link fails. When the primary link is restored, new outgoing connections are assigned to the link. Existing connections are maintained over the backup link, until they are complete.

Load Sharing mode connects to both ISPs, while sharing the load of outgoing connections between the ISPs. New connections are randomly assigned to a link. If a link fails, all new outgoing connections are directed to the active link. This configuration effectively increases WAN bandwidth, while providing connectivity protection.

Primary/Dial-up mode allows ADSL, ISDN, or dial-up to be configured as backups to primary links.

ISP Redundancy requires no additional hardware installation. This solution does not need separate management software. Configuration and monitoring of ISP Redundancy is integrated with the SmartCenter management suite.

Reply to
Richard H. Miller

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.