• Advertisement

OSPF over PIX w/ 6.2

Firewalls, PIX, ASA, VPN, Access Control List, User Authentication, Data Encryption and Best Practices.

OSPF over PIX w/ 6.2

Postby Guest » Thu Sep 01, 2005 7:10 pm


Ok 6.3 code is out of the question for this example. I am looking for any solutions for 6.2 code only. Thanks in advance!

Here is the setup:

(in)r1--->area 1 |PIX| area 1 ---->(out)r2--->s0/0--area 0

r1 is in AS 1 , r2 is in AS 2 and has area 0 off of s0/0 interface. r1 also has area 2 off of s0/0 interface. I am looking for examples on how to run OSPF from r1 to r2 with r1 being in area 2 and r2 being in area 0 without using a GRE tunnel. I could redistribute OSPF thru BGP but would this be the best/only solution..? Any suggestions would be great.

Guest
 

Advertisement

Re:OSPF over PIX w/ 6.2

Postby Guest » Thu Sep 01, 2005 7:50 pm


I had exactly the same application also based on pix 6.2. I ended up using BGP through the firewall, as that was the only solution that offered the route filtering as well. The customer considerd the GRE as a bit too risky for his security application, so BGP it was.

Then when 6.3 came along life got a bit easier.

Guest
 

Re:OSPF over PIX w/ 6.2

Postby Guest » Thu Sep 01, 2005 8:00 pm


Thanks for your reply! To follow up.. How were you able to apply a virtual-link to either side?

And lets say "all" options are open is there any other way that you know of to allow OSPF thru the PIX in with this setup?

thanks- Jeff

Guest
 

Re:OSPF over PIX w/ 6.2

Postby Guest » Thu Sep 01, 2005 8:32 pm


Jeff,

In the solution I implemented BGP was the only routing protocol passed through the firewall. Initially I tried to set the PIX up to allow traffic through thinking I could use the OSPF neighbour feature so the routers could see each other. This failed, as that feature also uses multicast traffic, which the PIX drops.

So in the end I redistributed OSPF into BGP, tunneled the routing information through the firewall and redistributed back into OSPF.

I didnt try using a virtual link, but as OSPF relies heavily on multicast traffic I'm sure such a link would fail also.

Virtual links are often described as `tunnels' but that is intended to promote understanding of the concept, they only operate within contiguous OSPF networks.

6.3 sounding attractive yet??

Guest
 

Re:OSPF over PIX w/ 6.2

Postby Guest » Thu Sep 01, 2005 9:53 pm


thanks for the feedback!

Guest
 

Next


  • Advertisement


Similar topics


Return to Cisco Security

Who is online

Users browsing this forum: No registered users and 1 guest