We have two main sites with a PIX515 in each site. Both Inside interfaces are on the backbone OSPF area (0) & the Outside Interfaces are in different OSPF areas (51 & 53). The two sites are connected together by our internal network on the Inside interfaces. We have a sattelite site which connects to both sites on the outside interfaces & the route to this site originates as a RIP2 route & is imported into OSPF & distributed to the PIX's on the outside Interface & redistributed to the Inside Interface.
The problem we are hitting is that both or one of the PIX's will sometimes decide the route to the
sattelite site is over the internal network to the other PIX & then to the sattelite site (With a cost of 353) rather than straight over the Outside network (cost 30).
In debug you can see the correct Type 5 LSA comes in & be used (cost 30). Then the LSA type 5 comes in straight afterwards on the inside interface as the update goes around the internal network (from the other firewall) & is used as the preferred route (cost 353).
Do PIX's prioritise routing updates from inside networks? Anyone have any ideas why it would behave this way?
The OSPF route preference is in the following order: O, O IA, OE1, OE2. My understanding is that when an inter area route is learned from two neighbors, OSPF tries to take the shortest path out to the backbone and it is this behaviour that might be causing the behaviour that you area seeing.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...