OSPF route filtering on ASA

Answered Question
Jul 15th, 2010

Hi,


Could someone guide me how can I filter the OSPF routes in cisco ASA inside interface. I want only my private network be part of OSPF configured on ASA. But I am getting other routes too from external networks. Pls. suggest.


Thanks,

Correct Answer by Nagaraja Thanthry about 6 years 7 months ago

Hello,


Unfortunately, there does not seem to be an option on the firewall to filter routes. So, you might want to do it on the inside router itself. You can use "distribute-list out ".


You need to make sure that this configuration does not affect any of your other devices.


Hope this helps.


Regards,


NT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Nagaraja Thanthry Thu, 07/15/2010 - 14:58

Hello,


Unfortunately, there does not seem to be an option on the firewall to filter routes. So, you might want to do it on the inside router itself. You can use "distribute-list out ".


You need to make sure that this configuration does not affect any of your other devices.


Hope this helps.


Regards,


NT

winpwnkmr Fri, 07/16/2010 - 02:06

Hi NT,


Those are Type-5 AS External Link States and I tried distribute-list out , but it's not allowing me with and without interface command it's not resolved. I can see those routes in ASA. I tried distribute-in and out both on internal router (R3) but no help.


I am attching the topology too. I want few routes of Type-5 LSA's to stop to coming on R3 as well as FW. After applying distribut-list in, those routes are not there in sh ip route. But in sh ip ospf database, i can see those routes.


Pls. suggest how this can be possible.


Thanks,

Attachment: 
Jitendriya Athavale Sun, 07/18/2010 - 00:15

i would suggest posting this query in routing community


because i had a similar issue and i was told by few routing experts in my org that OSPF architecture is such that we cannot block incoming routes from being sent accross firewall


what i mean is we cannot filter ospf updates like we do eigrp, the only way to stop updates coming from a different network is by stopping them at source


but as i said again i am not a routing expert, so i would suggest that this query be opened in routing community

Actions

This Discussion