Well, this is something I wouldn't recommend trying. There are numerous security reasons to avoid running routing protocols through a PIX. I'd suggest just putting both routers in using IOS firewall and configure your OSPF as usual. Since your PIX doesn't participate in the routing, the hop will adversely affect it. I've heard some people are doing it with IGRP, but I know Cisco doesn't support it. Has anybody tried this?
I recommend that you carefully evaluate your need for OSPF through a firewall, and see if there isn't another option. It's not that it can't be done. It can, but you create unnecessary security risks by doing so.
The first question I would ask is this: If you don't trust the people on the other side of your firewall, why are you trusting the routing advertisements they send you? They could advertise incorrect routes and bring down your network. It's a powerful denial-of-service attack.
In order to let OSPF through the PIX, you have to create a GRE tunnel through it and run OSPF through the tunnel. I think this is a pretty big hole through the PIX.
Another option is to run BGP across the PIX and redistribute on both ends. This lets you control what routes you advertise, and more importantly, what routes you accept. You can filter so that you don't accept routing advertisements for networks on your side of the PIX, nor advertise networks that don't belong to you.
Another advantage is that you only have to open one TCP port for BGP and then only to the peer addresses -- a relatively small hole.
I assume you are doing this for load-balancing or redundancy or both. I would highly recommend going with BGP as opposed to OSPF or any other IGP. BGP is easy to get through the Pix and you can control all of the route updates.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...