I am planning a network upgrade of a existing using Network which uses EIGRP routing. The upgrade calls for the introduction of a PIX Firewall to secure access to several subnets. The problem is the firewall will inhibit EIGRP routing between the existing routers subnets. Is there a recommended method to enable routing to travel thru the Fireall??
EIGRP will not function through the firewall as it is multicast based and needs the neighbor to be directly connected. You can tunnel EIGRP and the traffic through GRE, but then the Pix will no longer function as a useful security device as the transit traffic will be in the tunnel and unable to be inspected by the Pix.
You can use RIP if you want the Pix to participate in the routing process to handle it. YOu can use static routes if you want to avoid the complexity.
You can also use BGP. The Pix doesn't speak BGP, but BGP is unicast based, doesn't need the neighbor to be directly connected, and only requires a single port open between routers. (TCP/179)
A few additions to the above post. If you choose to configure a GRE tunnel for your EIGRP updates, you can configure the endpoints of the tunnel to ONLY send EIGRP related traffic through the tunnel. All other traffic between the two routers can be sent un-encapsulated so that the PIX can see and inspect the traffic.
Also, you can configure your EIGRP routers to send the routing updates via unicast traffic rather than multicast by using the neighbor command. This requires an identity static and permission to pass EIGRP traffic between the two hosts. You may also need to statically assign an ARP entry on the internal router for the outside router that lists the PIX inside MAC address. Kind of a way to fake out the internal router so that he does not ARP for the outside router.
And one other option is to re-distribute your EIGRP into OSPF and run OSPF between your two routers and the PIX (if running 6.3 code).
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...