From my understanding, a PIX will not process and/or accept routing protocol updates from RIP but it it has IPSec tunnel connected networks available then it is capable of advertising via RIP the networks that are available thru it.
Is this correct? If so, are the networks only advertised when there is a valid IPSec sa available?
If this is not the case, how would I make these networks know to routers behind the PIX? Will I have to use static routes?
I guess that I had it backward. However, your wording states that the PIX will not advertise out "other" interfaces. Can you elaborate on this? What does "other" interfaces mean? Does this mean that there is some situations where PIX will make some type of RIP advertisement?
For example, the Pix will receive a RIP routing update on its inside interace from one neighbor, but will not advertise those routes out to another neighbor on its outside interface.
The only routing advertisement the Pix will make is default-route if specified with using the "default" command.
rip inside default version 2 authentication md5 p@ssw0rd 1
This will enable RIP version 2 on the inside interface using multicast and authentication with an MD5 hash. It will also causes the firewall to broadcast a default route to inside routers. If you don't want it to advertise a default-route and only accept routing updates use:
rip inside passive version 2 authentication md5 p@ssw0rd 1
I recommend against using a routing protocol on the firewall in general if it can be avoided. If it can't be avoided, I highly recommend using version 2 of RIP to take advantage of MD5 encryption and authentication. Only RIP routers sharing the same key will be able to send and decrypt routes with the pix.
BTW. Pix v6.3 due out in April will have support for OSPF as well.
I have remote routers running IOS and IPSec. These router will connect to the PIX outside interface and establish an IPSec tunnel with the PIX. I know that IPSec in tunnel mode does not support RIP due to its multicast nature so I cannot expect the remote router to send RIP updates down the tunnel. However, the PIX knows about the remote subnet available via its outside interface and/or IPSec tunnel. Can I get the PIX to advertise on its inside interface the presence of this subnet so that users on the inside of the PIX can talk to the remote subnet?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :