Dynamic Routing to DMZ- Is this a good idea?

Unanswered Question
Jun 4th, 2008

We currently have a site with ASA5510's in active/standby. There are only two interfaces today. Inside and outside. Both interfaces are advertised to the internal network via seperate OSPF instances.

We are adding a DMZ. My quesiton is;

Is it acceptable to advertise the DMZ network through OSPF (on the ASA) to the inside or should we statically tell the inside how to get to the DMZ?

If we use OSPF(advertised from the ASA), which instance should advertise the DMZ? Instance 1 advertises the inside interface, Instance 2 advertises the Outside interface.

Thanks to all who take the time to read the post!!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
JORGE RODRIGUEZ Wed, 06/04/2008 - 09:41

If you are running OSPF inside your network and already have the ASA inside interface participating in OSPF, I do not see any issues in advertizing your DMZ networks downstrean into your OSPF domain, if you do you may want to use OSPF message-digest-key MD5 in your ospf process for security authentication.

[edit] my personal opinion is I would advertize the DMZ, otherwise you will need to statically adverize your DMZ networks but since you have a dynamic routing protocol in place use it.

If we use OSPF(advertised from the ASA), which instance should advertise the DMZ?

Usually in your ospf process number you have assign for the inside interface, advertize your DMZ with a network statement .

e.i

router ospf

network nameif area

Rgds

-Jorge

jsecaur Wed, 06/04/2008 - 10:00

Thanks for the response. I planned to use the OSPF and advertise on the process that included the inside interface. Just wanted a second opinion.

Good Day.

JORGE RODRIGUEZ Wed, 06/04/2008 - 12:33

Jason,

Im glad I could share my opinion. Just wanted to reinstate to use message-digest-key ospf authentication between your firewall and any downstream or upstream routers participating in OSPF, this way you will have additional security with OSPF and establishing secure adjacency within your firewall Parameter and routers.

HTH

-Jorge

Actions

This Discussion