Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1103
Views
9
Helpful
5
Replies

OSPF through a firewall

mulhollandm
Level 1
Level 1

‎02-23-2006 02:14 AM - edited ‎03-03-2019 11:50 AM

folks

i have 2 routers either side (inside and outside) of a symantec SGS firewall

the outside router connects to a third party network over a 100Mb ethernet circuit

the inside connects into my own corporate lan

i have the same setup replicated on a backup link which internal and external traffic will fail over to in the event of a link/router failure on the main link

my problem:

i'm trying to pass ospf over protocol number 89 through the firewall but i'm not having any joy

has anyone tried this?

has anyone any alternative ideas on some mechanism to ensure my internal router knows the external link/router is down?

thanks to anyone taking the time to reply

gratefully appreciated

Labels:
0 Helpful
5 Replies 5

pkhatri
Level 11
Level 11

‎02-23-2006 02:24 AM

Hi,

One possible issue I see is that OSPF packets are going to be using the 224.0.0.5/6 multicast addresses. You might want to configure the ospf network-type at both ends to be non-broadcast. That will make the routers use unicast packets which are more likely to get through.

Hope that helps - pls rate the post if it does.

Paresh

mheusinger
Level 10
Level 10
In response to pkhatri

‎02-23-2006 02:43 AM

Hello Paresh,

I am not sure this will work, because of IP address issues:

R1(10.1.1.1) - (10.1.1.2)FW(192.168.1.2) - (192.168.1.1)R2

How, in this picture would R1 and R2 form an OSPF adjacency? And even if they could, how would the FW forward the IP packets, when not being part of the OSPF domain?

You could use GRE, but this defies the purpose of the FW.

To "see" Routers being avail/no avail. through a firewall I would use BGP. It will setup a TCP session on port 179 and the FW would see it as any other TCP session. In addition the routers need not be directly connected. It could look like this:

router bgp 65000

no synch

no auto-summary

neighbor 10.1.1.1 remote-as 65000

redistribute ospf 10 match internal external

Be careful however not to produce a routing loop with mutual redistribution, i.e. apply proper filters.

Also be careful with your FW IP routing not to introduce routing loops/"black holes" there.

Hope this helps! Please rate all posts.

Regards, Martin

pkhatri
Level 11
Level 11
In response to mheusinger

‎02-23-2006 02:55 AM

You're right Martin... this is a lot more complicated than I initially thought !!

You could still possibly do it if you do a NAT in both directions so that (using your example) the packets from 10.1.1.1 appear on the other side as 192.168.1.x and vice versa...

As far as the firewall is concerned, it does not really have to be part of the OSPF domain as long as you statically configure the routes on either side. Which kinda defeats the purpose of a lot of this...

However, there are probably a lot more issues than I have not thought about yet :-)

Paresh

0 Helpful

Harold Ritter
Cisco Employee
Cisco Employee
In response to mheusinger

‎02-23-2006 04:15 AM

Another reason this will not work is that the TTL on the ospf packets is 1 and they would therefore die once they are decremented by the FW.

As Marting suggested, running BGP through the FW is a better option and is very commonly used.

Hope this helps,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

mulhollandm
Level 1
Level 1
In response to Harold Ritter

‎02-28-2006 01:55 PM

folks

many thanks for your help and good advice

i have been able to resolve the issue by upgrading my symantec sgs to v3 of its OS

this allows me to run ospf and process multicasts on individual interfaces so ihave established ospf neighbours with the routers on either side

as this is a dedicated router it doesn't have any routers on it to distribute and my inside router has a distribution list on it to ensure nothing else it passed to the exernal router

thanks again to all!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card