ASA5520 - Redistributing Inside Routes to Outside Interface - Security Issue?

Unanswered Question
May 26th, 2010

hey all, had a weird problem.

the outside interface is running ospf, with the inside interface all static

there are bunch of static routes defined for the inside interface

for some reason, ospf redistributed all the inside static routes to the outside interface, exposing all of them to other ospf neigbors on the outside.

we pulled out the "redistribute static" command to alleviate the issue.

is this normal behavior? i thought it was only supposed to redistribute static routes configured on the outside (there was none in this case).


release 7.2.4

In this case, all OSPF neighbors saw the 10.0.x.0/24 routes?


router ospf 2
network area 0
redistribute static

route Inside 1
route Inside 1
route Inside 1

thanks a lot,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Panos Kampanakis Wed, 05/26/2010 - 21:50

It is normal. It will redistribute all static routes on the ASA. Redistributing only outside routes would not make much sense since the outside world will indeed have better routes for the outside already.

I hope it helps.


Robert Ho Fri, 05/28/2010 - 10:15

i figured that but still consider it a huge security flaw.

the external ospf neighbors should not be exposed to the "details" of the internal network.

it completely compromises the security levels configured on each interface and the reason why we have NAT to hide the inside.

but thanks for the confirmation. we just have to be careful and put all assumptions aside when adding in these type of configurations.

Panos Kampanakis Fri, 05/28/2010 - 13:10

I do not think it is a security flaw.

If you want your FW to run routing protocols it needs to work as a network device as far as routing is concerned.

It still block the traffic as you want it. And you can still authenticated routing with md5.



This Discussion

Related Content