Sending OSPF Routes Through a PIX

admin_2 · ‎04-15-2004

We're looking at using an Internet VPN as a backup connection between 2 data centers. To handle this dynamically, we'd like to put a router in a DMZ of our PIX 525s and have it share OSPF tables with a router on the inside network from the PIX. Anotherwords, our 6509s make a policy based routing decision on whether or not to send traffic out the private MPLS network, or, they send it to the DMZ VPN router to travel across a VPN to its destination. I'm having trouble finding documentation on how to do this, can anyone assist?

ehirsel · ‎04-15-2004

If you do not want the pix firewalls to process the ospf updates, instead just forwarding them between your internal and dmz routers, this is called sending ospf thru the pix (instead of to it). This can be done only if you configure gre tunnels or ipsec tunnels between your internal and dmz routers.

When configure acls on all of the pixes to allow the gre or ipsec traffic, you need add the rules on both the internal and dmz interfaces of each pix that will see the traffic. This is because you cannot determine which router (dmz or internal) will send the updates first.

If you want to use ipsec, the relevant acls would include udp src port 500 to dest port 500, the ah and the esp protocols.

For gre, just spec the gre protocol instead of tcp/udp.

Again the connection can originate on either end so you will need the same rules (with source and dest reversed) on the dmz side as well as the internal side.

Let me know if you have any questions.

jmia · ‎04-15-2004

Hi,

Have a read of the following document:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml

Let me know if this helps.

Jay