Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX and RIP behavior

From my understanding, a PIX will not process and/or accept routing protocol updates from RIP but it it has IPSec tunnel connected networks available then it is capable of advertising via RIP the networks that are available thru it.

Is this correct? If so, are the networks only advertised when there is a valid IPSec sa available?

If this is not the case, how would I make these networks know to routers behind the PIX? Will I have to use static routes?

Thanks,

Diego

4 REPLIES
Silver

Re: PIX and RIP behavior

The Pix WILL accept RIP routing updates. It will NOT advertise routing updates out other interfaces with the exception of a default-route if so specified.

New Member

Re: PIX and RIP behavior

I guess that I had it backward. However, your wording states that the PIX will not advertise out "other" interfaces. Can you elaborate on this? What does "other" interfaces mean? Does this mean that there is some situations where PIX will make some type of RIP advertisement?

Thanks,

Diego

Silver

Re: PIX and RIP behavior

For example, the Pix will receive a RIP routing update on its inside interace from one neighbor, but will not advertise those routes out to another neighbor on its outside interface.

The only routing advertisement the Pix will make is default-route if specified with using the "default" command.

rip inside default version 2 authentication md5 p@ssw0rd 1

This will enable RIP version 2 on the inside interface using multicast and authentication with an MD5 hash. It will also causes the firewall to broadcast a default route to inside routers. If you don't want it to advertise a default-route and only accept routing updates use:

rip inside passive version 2 authentication md5 p@ssw0rd 1

I recommend against using a routing protocol on the firewall in general if it can be avoided. If it can't be avoided, I highly recommend using version 2 of RIP to take advantage of MD5 encryption and authentication. Only RIP routers sharing the same key will be able to send and decrypt routes with the pix.

BTW. Pix v6.3 due out in April will have support for OSPF as well.

-Shannon

New Member

Re: PIX and RIP behavior

Heres what I would like to do:

I have remote routers running IOS and IPSec. These router will connect to the PIX outside interface and establish an IPSec tunnel with the PIX. I know that IPSec in tunnel mode does not support RIP due to its multicast nature so I cannot expect the remote router to send RIP updates down the tunnel. However, the PIX knows about the remote subnet available via its outside interface and/or IPSec tunnel. Can I get the PIX to advertise on its inside interface the presence of this subnet so that users on the inside of the PIX can talk to the remote subnet?

Diego

121
Views
0
Helpful
4
Replies
CreatePlease to create content