Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

PIX & EIGRP Networks

my question is if both of the Networks that our PIX (506E,ver 6.3)is sitting between are running EIGRP do I need to do anything to the ports on the routers that connect to the PIX? Like setting those ports to passive listening?

8 REPLIES
Community Member

Re: PIX & EIGRP Networks

I am not sure whether PIX SecureOS 6.3 will pass EIGRP multicast traffic or not, but I know for sure ver 6.2 and older won't.

The way we used to do it in such cases is to build a tunnel across the PIX between the two routers in question.

Community Member

Re: PIX & EIGRP Networks

Right, I guess a better wording of my question would be is "how do I turn off the EIGRP updates on the routers that connect to the PIX"?

I plan on entering static IPs into the PIX to move the traffic through it but don't want to get errors with EIGRP updates.

Community Member

Re: PIX & EIGRP Networks

Do you mean "passive-interface"? If you want to turn off the EIGRP announcements from the routers themselves, just configure your interface as a passive-interface (under your router eigrp xxx configuration)

Community Member

Re: PIX & EIGRP Networks

Ah, yes that is what I meant. Thank You!! But you made a good point in regards to tunneling eigrp through the pix. Since it sounds like that is what you have done, would you recomend doing that over passive-interface on the routers that connect to the pix?

Community Member

Re: PIX & EIGRP Networks

Oh yea.. you can make the router ethernet (the one connected with the PIX) as a passive interface and you exchange EIGRP routing info through the tunnel interface, ethernet in this case will not interfere in EIGRP at all.

Community Member

Re: PIX & EIGRP Networks

Hello,

Technically, you can run EIGRP through PIX without tunneling on ver 6.2. The PIX will pass the multicast updates if you set up the PIX correctly.

You can do this in two different ways. First by using double nat on the PIX and second without using double net - just one to one networks.

Just FYI.

thanks - Jeff

Cisco Employee

Re: PIX & EIGRP Networks

you could just configure the two EIGRP routers to use the neighbor statement so they can talk to one another using unicast messages. Bear in mind that the only reason it works is that EIGRP uses a TTL of 2.

Quite frankly though, I would really prefer running BGP between the two routers on each side of the firewall and then redistribute in EIGRP. This is probably a better design.

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
Community Member

Re: PIX & EIGRP Networks

I would agree. GRE tunnels tend to defeat the object of having a firewall in the first place. BGP is the most robust option.

Depending on your network topology, the PIX may need to learn these routes too though. You could redistribute EIGRP into RIPv2 on your routers and have the PIX learn those routes? All sounds a bit messy to me though...

383
Views
0
Helpful
8
Replies
CreatePlease to create content