cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4734
Views
0
Helpful
4
Replies

eigrp neighbour over firewall

julxu
Level 1
Level 1

Greeting

I am trying to conf eigrp with unicast over a firewall:

outside router:

===========

router eigrp 1

   network 10.0.0.0

   neighbor 10.1.1.1 GigbitEthernet1/0/2

interface GigbitEthernet1/0/2

desc firewall out interface

ip address 10.2.1.1 255.255.255.0

firewall

======

the interface linked to outside router g1/0/2, is 10.2.1.2

the interface linked to inside roter, is 10.1.1.2

inside roter

==========

router eigrp 1

  network 10.0.0.0

  neigbor 10.2.1.1 GigbitEthernet1/0/2

interface Gigibit Ethernet1/0/2

desc firewall in interface

ip address 10.1.1.1 255.255.255.0

The outside router (it shold be same on insite router) do the first thing is to boardcast to find where is 10.1.1.1.

I can not let firewall pass boardcast, obviously.

Do I have any chance to let eigrp unicast over a firewall?  I thought I did read something which said it is possible to do it.

Can anyone give me some tip? what I should do on firewall, and what I should do on routers?

Any comment will be appreciated

Thanks in advance

julxu

3 Accepted Solutions

Accepted Solutions

Hi,

It is possible that we can configure EIGRP in PIX/ASA. as you said the eigrp packets send to the neighbors via multicast packets.

SInce you want to configure EIGRP in PIX/ASA , it is possible that we can send EIGRP packets to the neighbors via unicast.

and moreover, you need to open the eigrp firewall policy in your firewall to send eigrp packets from your outside router to inside router and you need to do some changes in the firewall to send unicast packets.

from cisco webportal:


//

  1. EIGRP hello packets are sent as multicast packets. If an EIGRP             neighbor is located across a nonbroadcast network, you must manually define             that neighbor. When you manually define an EIGRP neighbor, hello packets are             sent to that neighbor as unicast messages. In order to define static EIGRP             neighbors, go to the Static Neighbor pane.

  2. By default, default routes are sent and accepted. In order to             restrict or disable the sending and receiving of default route information,             open the Configuration > Device Setup > Routing > EIGRP >             Default Information pane. The Default Information pane displays a             table of rules to control the sending and receiving of default route             information in EIGRP updates

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008086ebd2.shtml


regards

karuppu

View solution in original post

Jon Marshall
Hall of Fame
Hall of Fame

julxu wrote:

outside router:

===========

router eigrp 1

   network 10.0.0.0

   neighbor 10.1.1.1 GigbitEthernet1/0/2

interface GigbitEthernet1/0/2

desc firewall out interface

ip address 10.2.1.1 255.255.255.0

firewall

======

the interface linked to outside router g1/0/2, is 10.2.1.2

the interface linked to inside roter, is 10.1.1.2

inside roter

==========

router eigrp 1

  network 10.0.0.0

  neigbor 10.2.1.1 GigbitEthernet1/0/2

interface Gigibit Ethernet1/0/2

desc firewall in interface

ip address 10.1.1.1 255.255.255.0

This won't work as far as i know even with the neighbor command because EIGRP requires the 2 neighbor addresses to be on the same subnet and in your case they aren't.

You have a number of options if you want to run EIGRP between the 2 routers -

1) Use a GRE tunnel between the inside router and the outside router. This is not recommended as a firewall cannot inspect GRE traffic so it is just like drilling a hole in your firewall.

2) configure the firewall in transparent mode instead of routed mode. In transparent mode the 2 routers become L2 adjacent and you could use the same subnet for both router interfaces. This may or may not be an option depending on the rest of your firewall config.

3) If your firewall is a pix/ASA and it is running v8.x code or you can upgrade it to v8.x code then the firewall will be able to run EIGRP so your inside router would form a neighborship with the firewall and your outside router would form a neighborship with the firewall.

Traditionally BGP was the routing protocol of choice if you need to peer across a firewall because

1) BGP does not require that a neighbor is on the same subnet

2) BGP uses TCP for communication which a stateful firewall is ideally suited for

Jon

View solution in original post

Hi,

I have image s72033-ipservicesk9_wan-mz.122, do I have license problem to use BGP?  --  No problem.You can configure BGP on your routers,

This IOS will support to configure BGP.

And you need to open the firewall rule for BGP protocol communication and to make the neighborship between these routers in your FIrewall.

regards

karuppu

View solution in original post

4 Replies 4

Hi,

It is possible that we can configure EIGRP in PIX/ASA. as you said the eigrp packets send to the neighbors via multicast packets.

SInce you want to configure EIGRP in PIX/ASA , it is possible that we can send EIGRP packets to the neighbors via unicast.

and moreover, you need to open the eigrp firewall policy in your firewall to send eigrp packets from your outside router to inside router and you need to do some changes in the firewall to send unicast packets.

from cisco webportal:


//

  1. EIGRP hello packets are sent as multicast packets. If an EIGRP             neighbor is located across a nonbroadcast network, you must manually define             that neighbor. When you manually define an EIGRP neighbor, hello packets are             sent to that neighbor as unicast messages. In order to define static EIGRP             neighbors, go to the Static Neighbor pane.

  2. By default, default routes are sent and accepted. In order to             restrict or disable the sending and receiving of default route information,             open the Configuration > Device Setup > Routing > EIGRP >             Default Information pane. The Default Information pane displays a             table of rules to control the sending and receiving of default route             information in EIGRP updates

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008086ebd2.shtml


regards

karuppu

Jon Marshall
Hall of Fame
Hall of Fame

julxu wrote:

outside router:

===========

router eigrp 1

   network 10.0.0.0

   neighbor 10.1.1.1 GigbitEthernet1/0/2

interface GigbitEthernet1/0/2

desc firewall out interface

ip address 10.2.1.1 255.255.255.0

firewall

======

the interface linked to outside router g1/0/2, is 10.2.1.2

the interface linked to inside roter, is 10.1.1.2

inside roter

==========

router eigrp 1

  network 10.0.0.0

  neigbor 10.2.1.1 GigbitEthernet1/0/2

interface Gigibit Ethernet1/0/2

desc firewall in interface

ip address 10.1.1.1 255.255.255.0

This won't work as far as i know even with the neighbor command because EIGRP requires the 2 neighbor addresses to be on the same subnet and in your case they aren't.

You have a number of options if you want to run EIGRP between the 2 routers -

1) Use a GRE tunnel between the inside router and the outside router. This is not recommended as a firewall cannot inspect GRE traffic so it is just like drilling a hole in your firewall.

2) configure the firewall in transparent mode instead of routed mode. In transparent mode the 2 routers become L2 adjacent and you could use the same subnet for both router interfaces. This may or may not be an option depending on the rest of your firewall config.

3) If your firewall is a pix/ASA and it is running v8.x code or you can upgrade it to v8.x code then the firewall will be able to run EIGRP so your inside router would form a neighborship with the firewall and your outside router would form a neighborship with the firewall.

Traditionally BGP was the routing protocol of choice if you need to peer across a firewall because

1) BGP does not require that a neighbor is on the same subnet

2) BGP uses TCP for communication which a stateful firewall is ideally suited for

Jon

I have image s72033-ipservicesk9_wan-mz.122, do I have license problem to use BGP? please advice?

Hi,

I have image s72033-ipservicesk9_wan-mz.122, do I have license problem to use BGP?  --  No problem.You can configure BGP on your routers,

This IOS will support to configure BGP.

And you need to open the firewall rule for BGP protocol communication and to make the neighborship between these routers in your FIrewall.

regards

karuppu

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: