Site2Site VPN (PIX2PIX 7.0) and OSPF between firewalls over IPSEC

Unanswered Question
Dec 20th, 2005
User Badges:

Hi everybody


I have to configure something which looks very similar with this.


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml


Consider that Rodney and House are not in the picture. What I have is a pair of VPN concentrators in load balancing mode in each site, the OSPF is running fine between PIX (Acvite Pasive with Failover) and and concentrators, RRI works as well.


Now my plan is to have the PIX firewalls between the two sites running OSPF and updating each other on the reverse injected routes learned from their concetrators.


The diagram showed on that webpage doesn't look correct to me.


Firstly: I don't understand how is it possible to have the same IP subnet for the two outside pix interfaces when they are separated by the Internet.


Secondly: if you look at the configuration resulted on the PIX firewalls you see that the

OSPF is configured only on Lion. The poor Tiger has no OSPF on it (no ACLE defined for that, neither Point to point outside interface nor OPSF process or neighbor to point to Lion.


Is that corect ?


Can anybody please point me to a document which describes the corect config ? What am I missing ?


Cisco says that to debug the adjacency process you have to verify that the following HELLO parameters match on the neighboring interfaces:


OSPF area number (Issue the show ip ospf interface interface-name command to check.)


OSPF area type, such as stub or NSSA (Issue the show ip ospf command to check.)


Subnet and subnet mask (Issue the show interface command to check.)


OSPF HELLO and Dead timer values (Issue the show ip ospf interface interface-name command to check.)


Obviously having two sites separated by internet doesn't allow you this. I have considered the idea to have subinterfaces and to use hem as we use the loopback interfaces. I will test this but in the mean time I would like to hear some opinions about this configuration.


When it comes to defining neghbors the "neighbor" command line help says this:

*************************

To define a static neighbor on a point-to-point, non-broadcast network, use the neighbor command in router

configuration mode. To remove the statically defined neighbor from the configuration, use the no form

of this command. The neighbor command is used to advertise OSPF routes over VPN tunnels.


neighbor ip_address [interface name]

no neighbor ip_address [interface name]


Usage Guidelines


One neighbor entry must be included for each known non-broadcast network neighbor. The neighbor

address must be on the primary address of the interface.

The interface option needs to be specified when the neighbor is not on the same network as any of the

directly connected interfaces of the system. Additionally, a static route must be created to reach the neighbor.


**************************


So


"The neighbor address must be on the primary address of the interface. " Which interface which firewall ? Local firewall local interface or remote firewll remote interface ?


And


The interface option needs to be specified when the neighbor is not on the same network



Does it have to be the same subnet or not ????




Thank you

Cristian

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cristip Tue, 12/20/2005 - 15:15
User Badges:

Problem solved.


It works with the two outside interfaces in different subnets.

OSPF has to be configured at the both ends.

The access-list used was

extended permit ip interface outside host =remoteip=


Cristian









Actions

This Discussion