Passive routes with OSPF on the PIX

Answered Question
Aug 24th, 2010

Hi,


Having just upgraded my PIXs to software v8 at last I was hoping to have them partake in OSPF on the network.


The PIXs all have lots of DMZs which I would like to advertise over OSPF to remove a *lot* of brittle static routes but of course I would like to *not* advertise or receive OSPF from those DMZs. I had assumed I could make those interfaces passive - or better still, issue:


router ospf 1
passive-interface default


And then exempt just the internal interface.


However, (unlike IOS) there seems to be no concept of passive in the PIX's OSPF implementation - a place where I thought it would be very useful...


How do I distribute those DMZs over OSPF without advertising OSPF into them?


I had considered using:


redistributed connected subnets


However, that redistributes things like the public Internet interface, which I don't want. Plus, even if there is a way to stop it including the public interface it seems more prone to user error than passive default with a single exception.


Any ideas? If not, can I limit the interfaces in redistributed connected subnets?


Thanks for any ideas!

Correct Answer by Scott Nishimura about 6 years 6 months ago

Hi Peter,


thanks, yes.. i was suggesting to remove the dmz network commands under the OSPF process.  As you mentioned, it wont really do what you are looking to do with removing the statics since its disabling ospf for that network.


Turning on eigrp would seem to be alot of extra work just to remove the statics if that is all that it will be used for but it would allow you to do the passive interface which would accomplish not snd/rcv eigrp out the specific interface.


I just reread your entire first message and i believe i understand now what you are after--  Going back to your first inquiry with the redistribution.. you can redistribute the static and use a route map to control which routes you are going to redistribute.  You can then remove the networks for the dmz under the router ospf process.


example:


access-list ospfredist standard permit 10.10.10.0 255.255.255.0
access-list ospfredist standard permit 192.168.10.0 255.255.255.0

route-map static-ospf
  match ip address ospfredist

router ospf 10
  redistribute static subnets route-map static-ospf

this should redistribute only the statics that you listed above.


hope this helps a bit.

-scott
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Scott Nishimura Tue, 08/24/2010 - 13:47

Hi Peter,


unfortunately, the asa/pix does not have the passive interface command like it is on eigrp.  There is an enhancement request for this but there no info if it will be implemented any time soon.


For alternatives... you can not include the network in the ospf process.  You would have to define your networks so that its not included there.  I have seen customers use an ACL to block incoming traffic however outgoing ospf traffic is not able to be restricted.


Are you able to restrict the networks to not include the interfaces you are preferring not to do ospf?


regards,

scott

PeterWorth Wed, 08/25/2010 - 08:12

Scott,


Thanks for the reply, much appreciated.


I'm not sure what you mean by "not include the network in the ospf process". I think you mean to just not list the DMZs as networks to include in OSPF. So, if my current OSPF config looks like this



router ospf 1

  log-adjacency-changes
  area 0 authentication message-digest

  network area 0
  network area 0
  network area 0
  network area 0
  network area 0


You would suggest dropping all the "network area 0" lines, which safely excludes them but then means OSPF isn't doing the job I was after? (Of removing the need for static routes). Have I got that right?


I was thinking I could otherwise:


  1. Use EIGRP on the ASA/PIX and redistributed EIGRP into OSPF on some nearby L3 switches which currently run OSPF anyway (I can use passive interfaces under EIGRP on the PIX, right? I figure the workload of adding EIGRP to the L3s won't be too high...)
  2. Get the nearby L3 switches to redistribute the current static routes they have for the DMZs into OSPF


1 seems like a complicated fix for a fairly small issue and I'm worried it brings a lot of complexity. 2 seems to be a little brittle, I still have to manage static routes...


Any opinion or other options? Thanks again.

Correct Answer
Scott Nishimura Wed, 08/25/2010 - 11:34

Hi Peter,


thanks, yes.. i was suggesting to remove the dmz network commands under the OSPF process.  As you mentioned, it wont really do what you are looking to do with removing the statics since its disabling ospf for that network.


Turning on eigrp would seem to be alot of extra work just to remove the statics if that is all that it will be used for but it would allow you to do the passive interface which would accomplish not snd/rcv eigrp out the specific interface.


I just reread your entire first message and i believe i understand now what you are after--  Going back to your first inquiry with the redistribution.. you can redistribute the static and use a route map to control which routes you are going to redistribute.  You can then remove the networks for the dmz under the router ospf process.


example:


access-list ospfredist standard permit 10.10.10.0 255.255.255.0
access-list ospfredist standard permit 192.168.10.0 255.255.255.0

route-map static-ospf
  match ip address ospfredist

router ospf 10
  redistribute static subnets route-map static-ospf

this should redistribute only the statics that you listed above.


hope this helps a bit.

-scott
PeterWorth Thu, 08/26/2010 - 02:22

Scott,


That makes a lot of sense, and you are right - EIGRP probably is overkill.


A route-map is the right way to do this, not too sure why I didn't think of it...


I've taken your suggestion and it works great, the only thing I changed is rather than redistribute the statics from the routers, I've redistributed the connected subnets from the PIX instead - still using the same route-map to avoid including the outside route, etc.


(It just seemed more managable to keep the route map that lists what's on the PIX, on the PIX)


So, for anyone else who reads this, I changed:


router ospf 10
  redistribute static subnets route-map static-ospf

To:

router ospf 10
  redistribute connected subnets route-map static-ospf


And ran the lot on the PIX instead of the L3/router.


Scott, thanks again!

Scott Nishimura Thu, 08/26/2010 - 10:53

Hi Peter,


thats great news.. glad its working for you.  Yes, initially, i was not thinking of that either and then when i re-read your problem and the responses you mentioned, i thought this sounds like the job of the route-map restricting specific routes on redistribution.


thanks.. have a nice day.


-scott

Actions

This Discussion

Related Content