Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
487
Views
0
Helpful
3
Replies

Passing EIGRP through a PIX

m-raft
Level 1
Level 1

‎02-04-2003 07:11 AM - edited ‎02-20-2020 10:32 PM

Is it possible to pass EIGRP through a PIX. I know that the PIX will not pass multicast packets and EIGRP uses multicast. I have read that you can use the neighbor command on the routers to send unicast instead of multicast. If i set this up and permit eigrp on an access list on the PIX between the 2 routers will that allow the routing updates to occur between the 2 routers? In this scenario I would have one router on a DMZ interface and the other router on the inside interface.

Thanks

MIke

0 Helpful
3 Replies 3

steve.barlow
Level 7
Level 7

‎02-04-2003 08:13 AM

Yes, you shoudl be able to do it (eigrp over pix). But not sure you would want to do it from a security point of view.

Although the neighbor command is accepted by the Cisco IOS under EIGRP, it should not be used. The neighbor statement does not behave as intended and can have a negative effect on EIGRP neighbors. See bug CSCdv19648 for more information.

The best way to accomplish this would be to set-up a GRE tunnel between the routers and open the PIX access-lists to allow gre between the routers.

eg.

hostname R1

!

interface Loopback0

ip address 10.1.1.1 255.255.255.0

!

interface Tunnel0

ip address 192.168.1.1 255.255.255.0

tunnel source Loopback0

tunnel destination 10.3.3.3

!

router eigrp 1

network 10.1.1.0 0.0.0.255

network 192.168.1.0

network y.y.y.y

no auto-summary

hostname R3

!

interface Loopback0

ip address 10.3.3.3 255.255.255.0

!

interface Tunnel0

ip address 192.168.1.3 255.255.255.0

tunnel source Loopback0

tunnel destination 10.1.1.1

!

router eigrp 1

network 10.3.3.0 0.0.0.255

network 192.168.1.0

network x.x.x.x

no auto-summary

The PIX would look something like this (minus the static/NAT/global commands):

access-list 101 permit gre host 10.3.3.3 host 10.1.1.1 (if no nat used, if nat used the nat'ed IP would be used instead of 10.1.1.1)

access-group 101 in interface outside

Hope it helps.

Steve

0 Helpful

kdarmstrong
Level 1
Level 1
In response to steve.barlow

‎02-10-2003 07:18 AM

Steve,

Would this work with RIPv2?

and ..

do you know if we can set up a GRE tunnel between Cisco and Bay networks?

thanks

Ken

0 Helpful

steve.barlow
Level 7
Level 7
In response to kdarmstrong

‎02-10-2003 12:28 PM

Yes it will work with RIPv2 as it uses a multicast address (224.0.0.9). And as for GRE between Cisco and Bay, sorry I have no idea, but I would guess yes as GRE uses protocol 47 (not proprietary to either company).

Steve

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card