Allowing OSPF through PIX, for dynamic Internet backup

CHAD MARSH · ‎08-05-2002

I am trying to setup an external router to advertise a default route with OSPF through a PIX to an inside router using 'default-information originate' (not always), this way the internal router will switch to a floating default static route pointing to another PIX connected to a DSL router for backup if the primary routers default route goes down.

Using static (inside,outside) and static (outside,inside) [PIX6.2] I am able to get each router to think it is on the same L2 segment as the other, then changing the OSPF network type to non-broadcast and setting neighbor statements I get the two routers to form an adjacency (shows FULL), however no routing information is being populated into either routing table. I have loopbacks with /32's defined on both routers and participating in OSPF, just so I could see if any network information was being passed. I can see the advertised networks of the other router in a 'show ip ospf database', but not in the routing table. I have an access-list on the PIX permitting OSPF traffic (ip protocol 89) between the routers, and it seems that hellos and LSAs are getting through.

Any ideas? It seems very close...

yusuff · ‎08-05-2002

check the following sample config

http://www.cisco.com/warp/public/707/gre_ipsec_ospf.html

HTH

R/Yusuf

vcjones · ‎08-05-2002

Before you get too enthused, consider the impact of letting OSPF through the PIX on your security policy. A hacker who successfully penetrates your outside router could inject bogus routes into your inside router and make a mess of your network. Most serious security policies do not permit arbitrary routing to penetrate the firewall.

The good news is that your underlying idea is good, and I have used it for similar purposes. However, I use BGP rather than OSPF because BGP is much more firewall friendly and capable of neighboring with non-adjacent routers even when NATted, eliminating the need to play tricks to make the routers look like they are on the same LAN. See the white paper on redundant firewall configuration on my website for an extreme example.

Vincent C Jones

www.networkingunlimited.com

CHAD MARSH · ‎08-06-2002

I am not too concerned about hackers that bored that they would do something like that on a network this insignificant.

iBGP was going to be my next try, but I wasn't sure if I could use it to conditionally advertise a default route in based on the state of the Internet connection.

Chad Marsh

CCIE# 5185 R/S & ISP/Dial

CCNP, CCDP, CSS1

mazhar71 · ‎08-06-2002

Hi Chad,

I also think that it is very good idea to use BGP through firewall. You can send conditional default route using BGP. There is also a document in OSPF portion on the Kobayashi technical web site of Cisco which shows the examples of why an OSPF route is in database but not in the routing table.

Regards

Mazhar Karagulle

CCIE# 6683 R&S-C&S

CHAD MARSH · ‎08-06-2002

I already thought about the GRE tunnel, but I don't want traffic to bypass the PIX. If I setup GRE to pass the routing info, the routes advertised will be pointing at the GRE tunnel, which is not what I'm after.

Chad Marsh

CCIE# 5185 R/S & ISP/Dial

CCNP, CCDP, CSS1