cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
932
Views
5
Helpful
3
Replies

Dynamic Routing to DMZ- Is this a good idea?

jsecaur
Level 1
Level 1

We currently have a site with ASA5510's in active/standby. There are only two interfaces today. Inside and outside. Both interfaces are advertised to the internal network via seperate OSPF instances.

We are adding a DMZ. My quesiton is;

Is it acceptable to advertise the DMZ network through OSPF (on the ASA) to the inside or should we statically tell the inside how to get to the DMZ?

If we use OSPF(advertised from the ASA), which instance should advertise the DMZ? Instance 1 advertises the inside interface, Instance 2 advertises the Outside interface.

Thanks to all who take the time to read the post!!

3 Replies 3

JORGE RODRIGUEZ
Level 10
Level 10

If you are running OSPF inside your network and already have the ASA inside interface participating in OSPF, I do not see any issues in advertizing your DMZ networks downstrean into your OSPF domain, if you do you may want to use OSPF message-digest-key MD5 in your ospf process for security authentication.

[edit] my personal opinion is I would advertize the DMZ, otherwise you will need to statically adverize your DMZ networks but since you have a dynamic routing protocol in place use it.

If we use OSPF(advertised from the ASA), which instance should advertise the DMZ?

Usually in your ospf process number you have assign for the inside interface, advertize your DMZ with a network statement .

e.i

router ospf

network nameif area

Rgds

-Jorge

Jorge Rodriguez

Thanks for the response. I planned to use the OSPF and advertise on the process that included the inside interface. Just wanted a second opinion.

Good Day.

Jason,

Im glad I could share my opinion. Just wanted to reinstate to use message-digest-key ospf authentication between your firewall and any downstream or upstream routers participating in OSPF, this way you will have additional security with OSPF and establishing secure adjacency within your firewall Parameter and routers.

HTH

-Jorge

Jorge Rodriguez
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: