PIX & OSPF recommendation

welcomeccie · ‎11-08-2007

I have the following topology

R1 --Lan--PIX--Lan---R2,R3,R4

I need to configure OSPF .should i pass the ospf through the PIX or configuring the ospf on the pix too? whot does cisco recommend?

Jon Marshall · ‎11-08-2007

Hi

Kind of depends on what mode the firewall is in. If the firewall is running in transparent mode then pass the OSPF traffic through. If it is running in routed mode it needs to participate in OSPF routing.

HTH

Jon

welcomeccie · ‎11-11-2007

The FW is routed mode but is there any problem if i passed the traffic through it may be i need to use PBR on the inside routers

Jon Marshall · ‎11-11-2007

Hi

That is the problem. OSPF expects to form ajacencies with neighbours on the same network but you have another hop between your 2 ospf routers because the firewall is in routed mode. That is why you can run OSPF on the FWSM itself in routed mode to get around this problem.

The only way the 2 ospf routers on either side of your FWSM will see each as neighbours is if the FWSM is in transparent mode ie. the same subnet on either side of the FWSM.

Jon

Jon Marshall · ‎11-11-2007

Apologies, i keep referring to the FWSM (Firewall Services Module) but the same applies to the standalone pix.

Jon

cmcbride · ‎11-14-2007

Wouldn't it be possible to configure a GRE tunnel between the 2 routers through the FWSM/PIX/ASA (allowing the correct ports to go through of course) for OSPF traffic? Seems like that would enable the routers to see each other as neighbors.