04-08-2004 07:52 AM - edited 03-02-2019 02:53 PM
I know, normally, we do not leak networks out of public. but there is a special case we need to have ospf thru pix with NAT
R1-- 192.168.1.1/24---- .2 PIX .2 --- 140.1.1.1/24 .1 R2
I do :
1. in pix I static 140.1.1.3 192.168.1.1 and ACL permit ospf any any
2. change routers ethernet ospf to NBMA and use neighbor to send unicast (pix does not understand broadcast/multicast)
the R1 ospf adjancy is formed and learns all the topologies are there, but it does not show on routing table. turn debug spf on and see nothing.
Anyoen has idea ? or anyone can help me out this ?
thanks
04-08-2004 09:40 AM
Check to see if this link helps in troubleshooting.
http://www.cisco.com/en/US/tech/tk365/tk480/technologies_tech_note09186a008009481a.shtml
Also PIX firewall with OS 6.3 can run OSPF. If you dont have any issues with having the PIX firewall act like an internal router to the area shared by R1 and R2, you can enable OSPF on the inside and outside interfaces of the PIX.
Hope that helps!
04-08-2004 10:43 AM
The reason that this doesn't work is that NAT translates the IP address when you establish the adjacency but it doesn't translate the content of the LSAs. So if you do a "sh ip ospf da ro" for both R1 and R2 you will see that the link between them is not different in each LSA.
I have been able to get it to work but wouldn't encourage anyone to do what I did in a production network.
Have you considered using BGP to carry the routing updates through the PIX and redustribute in OSPF on both routers. This is commonly used and is much nicer than trying to hack OSPF in thinking that it is talking to some other device on the same subnet.
Hope this helps,
04-08-2004 11:16 AM
I bet you could use GRE tunnels to make this work if you didn't want to use BGP...
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml
04-08-2004 07:06 PM
Running GRE through the FW/PIX is just like creating a huge hole in your network security and defeats the purpose of using a FW.
my 2 cents.
04-09-2004 02:08 AM
I suggest you run your GRE over VPN tunnel, this will keep your network secure.
04-09-2004 03:54 AM
Making it a VPN tunnel won't help--the traffic will follow the OSPF routes. In other words, if the next hop for OSPF is through the tunnel, the next hop for the traffic will be through the tunnel, which means the traffic itself will be tunneled through the firewall. Any and all of the firewall's protections will not be used for traffic following the tunnel.
You might be able to use BGP through the PIX, and then set the next hop using a route map so the traffic doesn't take the tunnel, but uses the pix.
:-)
Russ.W
04-09-2004 04:00 AM
The goal of putting in place is to make sure that it can inspect the packets and allow or deny them according to your security policy. By configuring a tunnel through your FW (encrypted or not) you are basically allowing anything the routers at the end of that tunnel find appropriate. The FW is not even involved with making sure the traffic matches a predefined security policy (beyond checking if traffic is GRE/IP or IPsec). Why not just remove the FW at this point.
In my view the best way to propagate routing updates via a FW is BGP since it allows you to decouple the control plane from the data plane an therefore allows you to check each and every packet against your security policy.
Hope this helps,The goal of putting in place is to make sure that it can inspect the packets and allow or deny them according to your security policy. By configuring a tunnel through your FW (encrypted or not) you are basically allowing anything the routers at the end of that tunnel find appropriate. The FW is not even involved with making sure the traffic matches a predefined security policy (beyond checking if traffic is GRE/IP or IPsec). Why not just remove the FW at this point.
In my view the best way to propagate routing updates via a FW is BGP since it allows you to decouple the control plane from the data plane an therefore allows you to check each and every packet against your security policy.
Hope this helps,
04-09-2004 05:08 AM
I agree BGP is the best way to do it. I was just pointing out if the didn't want to use BGP for some reason, his only other option is to use GRE tunnels.
04-09-2004 05:44 AM
Is it really an option? I would personally remove the FW rather than implementing GRE through the FW since at this point the only thing the FW does is to provide you a false sense of protection.
My 2 cents,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide