I guess that I had it backward. However, your wording states that the PIX will not advertise out "other" interfaces. Can you elaborate on this? What does "other" interfaces mean? Does this mean that there is some situations where PIX will make some type of RIP advertisement?

Thanks,

Diego

For example, the Pix will receive a RIP routing update on its inside interace from one neighbor, but will not advertise those routes out to another neighbor on its outside interface.

The only routing advertisement the Pix will make is default-route if specified with using the "default" command.

rip inside default version 2 authentication md5 p@ssw0rd 1

This will enable RIP version 2 on the inside interface using multicast and authentication with an MD5 hash. It will also causes the firewall to broadcast a default route to inside routers. If you don't want it to advertise a default-route and only accept routing updates use:

rip inside passive version 2 authentication md5 p@ssw0rd 1

I recommend against using a routing protocol on the firewall in general if it can be avoided. If it can't be avoided, I highly recommend using version 2 of RIP to take advantage of MD5 encryption and authentication. Only RIP routers sharing the same key will be able to send and decrypt routes with the pix.

BTW. Pix v6.3 due out in April will have support for OSPF as well.

-Shannon

Heres what I would like to do:

I have remote routers running IOS and IPSec. These router will connect to the PIX outside interface and establish an IPSec tunnel with the PIX. I know that IPSec in tunnel mode does not support RIP due to its multicast nature so I cannot expect the remote router to send RIP updates down the tunnel. However, the PIX knows about the remote subnet available via its outside interface and/or IPSec tunnel. Can I get the PIX to advertise on its inside interface the presence of this subnet so that users on the inside of the PIX can talk to the remote subnet?

Diego