my question is if both of the Networks that our PIX (506E,ver 6.3)is sitting between are running EIGRP do I need to do anything to the ports on the routers that connect to the PIX? Like setting those ports to passive listening?
Do you mean "passive-interface"? If you want to turn off the EIGRP announcements from the routers themselves, just configure your interface as a passive-interface (under your router eigrp xxx configuration)
Ah, yes that is what I meant. Thank You!! But you made a good point in regards to tunneling eigrp through the pix. Since it sounds like that is what you have done, would you recomend doing that over passive-interface on the routers that connect to the pix?
Oh yea.. you can make the router ethernet (the one connected with the PIX) as a passive interface and you exchange EIGRP routing info through the tunnel interface, ethernet in this case will not interfere in EIGRP at all.
you could just configure the two EIGRP routers to use the neighbor statement so they can talk to one another using unicast messages. Bear in mind that the only reason it works is that EIGRP uses a TTL of 2.
Quite frankly though, I would really prefer running BGP between the two routers on each side of the firewall and then redistribute in EIGRP. This is probably a better design.
Harold Ritter Sr. Technical Leader CCIE 4168 (R&S, SP) firstname.lastname@example.org México móvil: +52 1 55 8312 4915 Cisco México Paseo de la Reforma 222 Piso 19 Cuauhtémoc, Juárez Ciudad de México, 06600 México
I would agree. GRE tunnels tend to defeat the object of having a firewall in the first place. BGP is the most robust option.
Depending on your network topology, the PIX may need to learn these routes too though. You could redistribute EIGRP into RIPv2 on your routers and have the PIX learn those routes? All sounds a bit messy to me though...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...