ASA5520 - Redistributing Inside Routes to Outside Interface - Security Issue?

Robert Ho · ‎05-26-2010

hey all, had a weird problem.

the outside interface is running ospf, with the inside interface all static

there are bunch of static routes defined for the inside interface

for some reason, ospf redistributed all the inside static routes to the outside interface, exposing all of them to other ospf neigbors on the outside.

we pulled out the "redistribute static" command to alleviate the issue.

is this normal behavior? i thought it was only supposed to redistribute static routes configured on the outside (there was none in this case).

ASA5520

release 7.2.4

In this case, all OSPF neighbors saw the 10.0.x.0/24 routes?

!

router ospf 2
router-id 20.20.20.20
network 20.20.20.0 255.255.255.248 area 0
log-adj-changes
redistribute static
!

route Inside 10.0.1.0 255.255.255.0 10.0.0.1 1
route Inside 10.0.2.0 255.255.255.0 10.0.0.1 1
route Inside 10.0.3.0 255.255.255.0 10.0.0.1 1

thanks a lot,

-robert

Panos Kampanakis · ‎05-26-2010

It is normal. It will redistribute all static routes on the ASA. Redistributing only outside routes would not make much sense since the outside world will indeed have better routes for the outside already.

I hope it helps.

PK

Robert Ho · ‎05-28-2010

i figured that but still consider it a huge security flaw.

the external ospf neighbors should not be exposed to the "details" of the internal network.

it completely compromises the security levels configured on each interface and the reason why we have NAT to hide the inside.

but thanks for the confirmation. we just have to be careful and put all assumptions aside when adding in these type of configurations.

Panos Kampanakis · ‎05-28-2010

I do not think it is a security flaw.

If you want your FW to run routing protocols it needs to work as a network device as far as routing is concerned.

It still block the traffic as you want it. And you can still authenticated routing with md5.

PK