Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA5520 - Redistributing Inside Routes to Outside Interface - Security Issue?

hey all, had a weird problem.

the outside interface is running ospf, with the inside interface all static

there are bunch of static routes defined for the inside interface

for some reason, ospf redistributed all the inside static routes to the outside interface, exposing all of them to other ospf neigbors on the outside.

we pulled out the "redistribute static" command to alleviate the issue.

is this normal behavior? i thought it was only supposed to redistribute static routes configured on the outside (there was none in this case).

ASA5520

release 7.2.4

In this case, all OSPF neighbors saw the 10.0.x.0/24 routes?

!

router ospf 2
router-id 20.20.20.20
network 20.20.20.0 255.255.255.248 area 0
log-adj-changes
redistribute static
!

route Inside 10.0.1.0 255.255.255.0 10.0.0.1 1
route Inside 10.0.2.0 255.255.255.0 10.0.0.1 1
route Inside 10.0.3.0 255.255.255.0 10.0.0.1 1

thanks a lot,

-robert

Everyone's tags (5)
3 REPLIES
Cisco Employee

Re: ASA5520 - Redistributing Inside Routes to Outside Interface

It is normal. It will redistribute all static routes on the ASA. Redistributing only outside routes would not make much sense since the outside world will indeed have better routes for the outside already.

I hope it helps.

PK

Community Member

Re: ASA5520 - Redistributing Inside Routes to Outside Interface

i figured that but still consider it a huge security flaw.

the external ospf neighbors should not be exposed to the "details" of the internal network.

it completely compromises the security levels configured on each interface and the reason why we have NAT to hide the inside.

but thanks for the confirmation. we just have to be careful and put all assumptions aside when adding in these type of configurations.

Cisco Employee

Re: ASA5520 - Redistributing Inside Routes to Outside Interface

I do not think it is a security flaw.

If you want your FW to run routing protocols it needs to work as a network device as far as routing is concerned.

It still block the traffic as you want it. And you can still authenticated routing with md5.

PK

451
Views
0
Helpful
3
Replies
CreatePlease to create content