OSPF thru pix

ewei · ‎04-08-2004

I know, normally, we do not leak networks out of public. but there is a special case we need to have ospf thru pix with NAT

R1-- 192.168.1.1/24---- .2 PIX .2 --- 140.1.1.1/24 .1 R2

I do :

1. in pix I static 140.1.1.3 192.168.1.1 and ACL permit ospf any any

2. change routers ethernet ospf to NBMA and use neighbor to send unicast (pix does not understand broadcast/multicast)

the R1 ospf adjancy is formed and learns all the topologies are there, but it does not show on routing table. turn debug spf on and see nothing.

Anyoen has idea ? or anyone can help me out this ?

thanks

thisisshanky · ‎04-08-2004

Check to see if this link helps in troubleshooting.

http://www.cisco.com/en/US/tech/tk365/tk480/technologies_tech_note09186a008009481a.shtml

Also PIX firewall with OS 6.3 can run OSPF. If you dont have any issues with having the PIX firewall act like an internal router to the area shared by R1 and R2, you can enable OSPF on the inside and outside interfaces of the PIX.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#1112836

Hope that helps!

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

Harold Ritter · ‎04-08-2004

The reason that this doesn't work is that NAT translates the IP address when you establish the adjacency but it doesn't translate the content of the LSAs. So if you do a "sh ip ospf da ro" for both R1 and R2 you will see that the link between them is not different in each LSA.

I have been able to get it to work but wouldn't encourage anyone to do what I did in a production network.

Have you considered using BGP to carry the routing updates through the PIX and redustribute in OSPF on both routers. This is commonly used and is much nicer than trying to hack OSPF in thinking that it is talking to some other device on the same subnet.

Hope this helps,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

jamey · ‎04-08-2004

I bet you could use GRE tunnels to make this work if you didn't want to use BGP...

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml

Harold Ritter · ‎04-08-2004

Running GRE through the FW/PIX is just like creating a huge hole in your network security and defeats the purpose of using a FW.

my 2 cents.

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

czrussel · ‎04-09-2004

I suggest you run your GRE over VPN tunnel, this will keep your network secure.

ruwhite · ‎04-09-2004

Making it a VPN tunnel won't help--the traffic will follow the OSPF routes. In other words, if the next hop for OSPF is through the tunnel, the next hop for the traffic will be through the tunnel, which means the traffic itself will be tunneled through the firewall. Any and all of the firewall's protections will not be used for traffic following the tunnel.

You might be able to use BGP through the PIX, and then set the next hop using a route map so the traffic doesn't take the tunnel, but uses the pix.

:-)

Russ.W

Harold Ritter · ‎04-09-2004

The goal of putting in place is to make sure that it can inspect the packets and allow or deny them according to your security policy. By configuring a tunnel through your FW (encrypted or not) you are basically allowing anything the routers at the end of that tunnel find appropriate. The FW is not even involved with making sure the traffic matches a predefined security policy (beyond checking if traffic is GRE/IP or IPsec). Why not just remove the FW at this point.

In my view the best way to propagate routing updates via a FW is BGP since it allows you to decouple the control plane from the data plane an therefore allows you to check each and every packet against your security policy.

Hope this helps,The goal of putting in place is to make sure that it can inspect the packets and allow or deny them according to your security policy. By configuring a tunnel through your FW (encrypted or not) you are basically allowing anything the routers at the end of that tunnel find appropriate. The FW is not even involved with making sure the traffic matches a predefined security policy (beyond checking if traffic is GRE/IP or IPsec). Why not just remove the FW at this point.

In my view the best way to propagate routing updates via a FW is BGP since it allows you to decouple the control plane from the data plane an therefore allows you to check each and every packet against your security policy.

Hope this helps,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

jamey · ‎04-09-2004

I agree BGP is the best way to do it. I was just pointing out if the didn't want to use BGP for some reason, his only other option is to use GRE tunnels.

Harold Ritter · ‎04-09-2004

Is it really an option? I would personally remove the FW rather than implementing GRE through the FW since at this point the only thing the FW does is to provide you a false sense of protection.

My 2 cents,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México