Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Dynamic Routing to DMZ- Is this a good idea?

We currently have a site with ASA5510's in active/standby. There are only two interfaces today. Inside and outside. Both interfaces are advertised to the internal network via seperate OSPF instances.

We are adding a DMZ. My quesiton is;

Is it acceptable to advertise the DMZ network through OSPF (on the ASA) to the inside or should we statically tell the inside how to get to the DMZ?

If we use OSPF(advertised from the ASA), which instance should advertise the DMZ? Instance 1 advertises the inside interface, Instance 2 advertises the Outside interface.

Thanks to all who take the time to read the post!!

3 REPLIES

Re: Dynamic Routing to DMZ- Is this a good idea?

If you are running OSPF inside your network and already have the ASA inside interface participating in OSPF, I do not see any issues in advertizing your DMZ networks downstrean into your OSPF domain, if you do you may want to use OSPF message-digest-key MD5 in your ospf process for security authentication.

[edit] my personal opinion is I would advertize the DMZ, otherwise you will need to statically adverize your DMZ networks but since you have a dynamic routing protocol in place use it.

If we use OSPF(advertised from the ASA), which instance should advertise the DMZ?

Usually in your ospf process number you have assign for the inside interface, advertize your DMZ with a network statement .

e.i

router ospf

network nameif area

Rgds

-Jorge

New Member

Re: Dynamic Routing to DMZ- Is this a good idea?

Thanks for the response. I planned to use the OSPF and advertise on the process that included the inside interface. Just wanted a second opinion.

Good Day.

Re: Dynamic Routing to DMZ- Is this a good idea?

Jason,

Im glad I could share my opinion. Just wanted to reinstate to use message-digest-key ospf authentication between your firewall and any downstream or upstream routers participating in OSPF, this way you will have additional security with OSPF and establishing secure adjacency within your firewall Parameter and routers.

HTH

-Jorge

426
Views
5
Helpful
3
Replies