cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
372
Views
0
Helpful
3
Replies

Pix 6.3 and OSPF routes

akohli
Level 1
Level 1

I have turned on OSPF on the PIX. I have two different areas - 100 on the outside and area 0 on the inside. But, the routes from the inside are showing on the dmz routers. Is there any command on the pix to stop you from doing this?

3 Replies 3

owillins
Level 6
Level 6

The PIX firewall would have to be configured as an ABR with NAT enabled on the inside interface, NAT disabled on the DMZ, and all interfaces running OSPF in order to filter Type 3 LSAs. Guess you have configured it as an ASBR in which case the routes would be seen on the DMZ also. For the configuration details, use the information in the following document:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm#1112847

HI,

Thanks for the config. It is something to what I was looking for. I am having a little difficulty understanding how the filter list makes the inside area an ABR. In my network the situation is reveresed. I have area 0 which is on the inside, and area 100 on the outside. Everything on the inside gets NAT'd to the outside. If I was to place a prefix-list on area 100, then I presume I would have to say something like

ip add outside x.x.x.0 / 24

ip add inside y.y.y.0 / 24

router ospf 1

area 100 filter-list prefix ten out

prefix-list ten deny y.y.y.0/24

prefix-list ten permit x.x.x.0/24 {as there is a second backup pix on the same segment for failover - these are 506E}

Am I correct in the assumption? I presume this would prevent the inside networks from being advertised to area 100 on the outside?

Hi,

I think you can't filter a route from being advertised in link-state routing protocols, since they do not exchange route, they exchange topology database from which the routes are calculated. In a OSPF router you can't do that. But you can filter routes incoming routes, that is, the route will be present in topology database, but will not be put in the routing table.

Paulo

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: