Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Pix 6.3 and OSPF routes

I have turned on OSPF on the PIX. I have two different areas - 100 on the outside and area 0 on the inside. But, the routes from the inside are showing on the dmz routers. Is there any command on the pix to stop you from doing this?

3 REPLIES
Silver

Re: Pix 6.3 and OSPF routes

The PIX firewall would have to be configured as an ABR with NAT enabled on the inside interface, NAT disabled on the DMZ, and all interfaces running OSPF in order to filter Type 3 LSAs. Guess you have configured it as an ASBR in which case the routes would be seen on the DMZ also. For the configuration details, use the information in the following document:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm#1112847

New Member

Re: Pix 6.3 and OSPF routes

HI,

Thanks for the config. It is something to what I was looking for. I am having a little difficulty understanding how the filter list makes the inside area an ABR. In my network the situation is reveresed. I have area 0 which is on the inside, and area 100 on the outside. Everything on the inside gets NAT'd to the outside. If I was to place a prefix-list on area 100, then I presume I would have to say something like

ip add outside x.x.x.0 / 24

ip add inside y.y.y.0 / 24

router ospf 1

area 100 filter-list prefix ten out

prefix-list ten deny y.y.y.0/24

prefix-list ten permit x.x.x.0/24 {as there is a second backup pix on the same segment for failover - these are 506E}

Am I correct in the assumption? I presume this would prevent the inside networks from being advertised to area 100 on the outside?

New Member

Re: Pix 6.3 and OSPF routes

Hi,

I think you can't filter a route from being advertised in link-state routing protocols, since they do not exchange route, they exchange topology database from which the routes are calculated. In a OSPF router you can't do that. But you can filter routes incoming routes, that is, the route will be present in topology database, but will not be put in the routing table.

Paulo

110
Views
0
Helpful
3
Replies
CreatePlease to create content