09-27-2006 04:41 AM - edited 03-03-2019 02:08 PM
I have a VPN tunnel setup between a Watchguard Firebox and a Cisco ASA (7.1).
Since IPSec won't allow multicast traffic, how do I get the routers on the ASA side populated via OSPF?
I added the route to an OSPF router, but since it's a link-state protocol, it doesn't watch the routing table (correct?).
I do have a 1710 on the Watchguard side, but am unsure how to set it up not to multicast.
Also, since the VPN tunnel won't stay up until it sees interesting traffic, won't OSPF remove the route?
Has anyone had to deal with this kind of setup? Any advice is appreciated.
Thanks in advance!
Aaron
09-27-2006 04:51 AM
Hi,
maybe that could help you:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml
HTH
Andrea
09-28-2006 08:09 PM
Hi Andrea,
Thanks for the link. Unfortunately, I've already scoured that doc. It assumes PIX on each side, since Cisco placed, in it's bag of tricks, workarounds for OSPF in the PIX.
Since one side is a Watchguard, I'm having a little trouble.
I'm pondering about building a GRE tunnel from the 1710 on the Watchguard side, to a 4510 on the PIX side, using the IPSec tunnel merely as a transport.
Anybody think that will work?
~~Aaron
09-28-2006 09:59 PM
The doc. should fix the problem, it was because the router is ourside the firewall and not the termination points of the VPN. You simple build the GRE between two routers, ensure the traffic of the GRE tunnel will pass via IPSEC tunnel, and enable the OSPF (or other routing protocol or application) in the GRE tunnel. Then it will be no problem.
The routers just treat the connection to the firewall is a path to remote side.
However, if you want to use router for the IPSEC tunnel at the same time, it should work too but it is more complicated and difficult to troubleshoot. And you already have the IPSEC at firewall, so just keep it and modify the router is simplier.
Hope this helps.
09-29-2006 02:25 PM
You are right. The doc I was talking about, was two ASA's side-by-side with an IPSec tunnel. Cisco has the ASA's doing something different, so I wouldn't have to build a GRE tunnel.
Looking over it again, was the right doc. Thanks for making me take a second look!
cheers!
~~Aaron
10-02-2006 05:14 PM
It is good that it suits for you, please feel free to let us know the result after you tested it. :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide