enabling eigrp on PIX head end firewalls that house multi-homed L2L remote sites
I currently have two VPN head end devices (PIX 515E running 8.04) , one at each datacenter . The upstream devices at each data center are cisco 6500s running eigrp. The two data centers are directly connected via these 6500s. All IPSec tunnels terminate to one of the two firewalls. Up to know I have added static routes to the 6500s at each data center letting them know where the remote L2L networks live. I would like this setup to be dynamic since I have the remote vpn device configured to initiate the IPSec connection to both two firewalls. My problem is when a remote site initiates the L2L connection with the one or the other firewall I have to manually change the static routes letting the trusted network know where the remote subnet lives. I am looking into enabling eigrp on the two firewalls....will enabling eigrp on the firewalls allow me to remove all of the static routes on the 6500s that let the 6500s know where the remote L2L subnets live?
Re: enabling eigrp on PIX head end firewalls that house multi-ho
well eigrp wont be the best thig to do here, as multicast packets wont go through the ipsec tunnel
you have 2 options going forwards
use routers if you have to termintae ipsec with gre, basically u r encrypting the gre tunnel and in the gre tunnel you can pass the routing updates plus the normal traffic
secondly move to ospf, using ospf neighbor command you have the option of sending updates as unicast packets and this can be encrypted using ipsec, if you still want to use eigrp, it will be a challenge becuase you might have to redistribute networks to ospf which again i think is some manual work, i think the best solution here is ospf, here is a link which will help you understand what i am saying
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...