PIX515e OSPF Message Digest Authentication

Unanswered Question
May 25th, 2007
User Badges:
  • Green, 3000 points or more

We are about to migrate our current ISPs to AT&T, the draw back is the ATT is providing the Edge router as well as managing it. Right now I have two OSPF processies in my PIX , one OSPF process for the outside interface and a different OSPF process for the inside interface, my default route is injected downstream from the internet router via "default information originate metric-type-1 ".

The new ISP does allow OSPF but without authentication, my OSPF domain inside uses MD5 for ospf authentication, if I was not to use authentication on the OSPF process on the PIX outside interface Im sure I will encounter problems geting a default route to the PIX.

What other options I have, AT&T tells me they can do OSPF without autentication which is not good for me because I will have to then omit OSPF authentication on my inside routers as well , ATT can simply do static and I was thinking of just killing the OSPF process all together on the PIX-outside interface and configure static route as:

route outside ATT_Ethernet_Handoff.ip metric 1

My question is, by omiting the OSPF process from the outside interface and leaving the inside OSPF process intact with its MD5 for my inside network should I be worrying about any issues?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
srue Sat, 05/26/2007 - 04:24
User Badges:
  • Blue, 1500 points or more

ospf authentication is per inferface, not per device. You should be able to safely disable auth on the outside interface and still use it on the inside interface. All neighbor relationships will still form and you can still run ospf as you normally do.

JORGE RODRIGUEZ Sun, 05/27/2007 - 20:12
User Badges:
  • Green, 3000 points or more

Srue, thank you for you input, on those same lines without the authentication on the PIX outside interface I should still be able in geting a default route injected into my inside PIX interface ospf process which I do have it configured for default-information originate as well.




This Discussion