Dynamic Routing to DMZ- Is this a good idea?

Unanswered Question
Jun 4th, 2008
User Badges:

We currently have a site with ASA5510's in active/standby. There are only two interfaces today. Inside and outside. Both interfaces are advertised to the internal network via seperate OSPF instances.

We are adding a DMZ. My quesiton is;

Is it acceptable to advertise the DMZ network through OSPF (on the ASA) to the inside or should we statically tell the inside how to get to the DMZ?

If we use OSPF(advertised from the ASA), which instance should advertise the DMZ? Instance 1 advertises the inside interface, Instance 2 advertises the Outside interface.

Thanks to all who take the time to read the post!!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
JORGE RODRIGUEZ Wed, 06/04/2008 - 09:41
User Badges:
  • Green, 3000 points or more

If you are running OSPF inside your network and already have the ASA inside interface participating in OSPF, I do not see any issues in advertizing your DMZ networks downstrean into your OSPF domain, if you do you may want to use OSPF message-digest-key MD5 in your ospf process for security authentication.

[edit] my personal opinion is I would advertize the DMZ, otherwise you will need to statically adverize your DMZ networks but since you have a dynamic routing protocol in place use it.

If we use OSPF(advertised from the ASA), which instance should advertise the DMZ?

Usually in your ospf process number you have assign for the inside interface, advertize your DMZ with a network statement .


router ospf

network nameif area



jsecaur Wed, 06/04/2008 - 10:00
User Badges:

Thanks for the response. I planned to use the OSPF and advertise on the process that included the inside interface. Just wanted a second opinion.

Good Day.

JORGE RODRIGUEZ Wed, 06/04/2008 - 12:33
User Badges:
  • Green, 3000 points or more


Im glad I could share my opinion. Just wanted to reinstate to use message-digest-key ospf authentication between your firewall and any downstream or upstream routers participating in OSPF, this way you will have additional security with OSPF and establishing secure adjacency within your firewall Parameter and routers.




This Discussion