06-04-2008 08:36 AM - edited 03-11-2019 05:55 AM
We currently have a site with ASA5510's in active/standby. There are only two interfaces today. Inside and outside. Both interfaces are advertised to the internal network via seperate OSPF instances.
We are adding a DMZ. My quesiton is;
Is it acceptable to advertise the DMZ network through OSPF (on the ASA) to the inside or should we statically tell the inside how to get to the DMZ?
If we use OSPF(advertised from the ASA), which instance should advertise the DMZ? Instance 1 advertises the inside interface, Instance 2 advertises the Outside interface.
Thanks to all who take the time to read the post!!
06-04-2008 09:41 AM
If you are running OSPF inside your network and already have the ASA inside interface participating in OSPF, I do not see any issues in advertizing your DMZ networks downstrean into your OSPF domain, if you do you may want to use OSPF message-digest-key MD5 in your ospf process for security authentication.
[edit] my personal opinion is I would advertize the DMZ, otherwise you will need to statically adverize your DMZ networks but since you have a dynamic routing protocol in place use it.
If we use OSPF(advertised from the ASA), which instance should advertise the DMZ?
Usually in your ospf process number you have assign for the inside interface, advertize your DMZ with a network statement .
e.i
router ospf
network nameif
Rgds
-Jorge
06-04-2008 10:00 AM
Thanks for the response. I planned to use the OSPF and advertise on the process that included the inside interface. Just wanted a second opinion.
Good Day.
06-04-2008 12:33 PM
Jason,
Im glad I could share my opinion. Just wanted to reinstate to use message-digest-key ospf authentication between your firewall and any downstream or upstream routers participating in OSPF, this way you will have additional security with OSPF and establishing secure adjacency within your firewall Parameter and routers.
HTH
-Jorge
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: