08-05-2002 11:55 AM - edited 03-02-2019 12:26 AM
I am trying to setup an external router to advertise a default route with OSPF through a PIX to an inside router using 'default-information originate' (not always), this way the internal router will switch to a floating default static route pointing to another PIX connected to a DSL router for backup if the primary routers default route goes down.
Using static (inside,outside) and static (outside,inside) [PIX6.2] I am able to get each router to think it is on the same L2 segment as the other, then changing the OSPF network type to non-broadcast and setting neighbor statements I get the two routers to form an adjacency (shows FULL), however no routing information is being populated into either routing table. I have loopbacks with /32's defined on both routers and participating in OSPF, just so I could see if any network information was being passed. I can see the advertised networks of the other router in a 'show ip ospf database', but not in the routing table. I have an access-list on the PIX permitting OSPF traffic (ip protocol 89) between the routers, and it seems that hellos and LSAs are getting through.
Any ideas? It seems very close...
08-05-2002 04:42 PM
check the following sample config
http://www.cisco.com/warp/public/707/gre_ipsec_ospf.html
HTH
R/Yusuf
08-05-2002 05:39 PM
Before you get too enthused, consider the impact of letting OSPF through the PIX on your security policy. A hacker who successfully penetrates your outside router could inject bogus routes into your inside router and make a mess of your network. Most serious security policies do not permit arbitrary routing to penetrate the firewall.
The good news is that your underlying idea is good, and I have used it for similar purposes. However, I use BGP rather than OSPF because BGP is much more firewall friendly and capable of neighboring with non-adjacent routers even when NATted, eliminating the need to play tricks to make the routers look like they are on the same LAN. See the white paper on redundant firewall configuration on my website for an extreme example.
Vincent C Jones
08-06-2002 08:50 AM
I am not too concerned about hackers that bored that they would do something like that on a network this insignificant.
iBGP was going to be my next try, but I wasn't sure if I could use it to conditionally advertise a default route in based on the state of the Internet connection.
Chad Marsh
CCIE# 5185 R/S & ISP/Dial
CCNP, CCDP, CSS1
08-06-2002 01:46 PM
Hi Chad,
I also think that it is very good idea to use BGP through firewall. You can send conditional default route using BGP. There is also a document in OSPF portion on the Kobayashi technical web site of Cisco which shows the examples of why an OSPF route is in database but not in the routing table.
Regards
Mazhar Karagulle
CCIE# 6683 R&S-C&S
08-06-2002 08:54 AM
I already thought about the GRE tunnel, but I don't want traffic to bypass the PIX. If I setup GRE to pass the routing info, the routes advertised will be pointing at the GRE tunnel, which is not what I'm after.
Chad Marsh
CCIE# 5185 R/S & ISP/Dial
CCNP, CCDP, CSS1
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: