topic Re: PIX and OSPF in Network Security

PIX and OSPF

PAUL CHEN — Fri, 21 Feb 2020 07:26:02 GMT

Hi Everyone

I have this scenario, i actually took a incomplete sample out of some CCO documentation :

R1 ---------outside -- PiX -------- inside----- R2

DMZ

I am trying to establish OSPF neighbors with the routers R1 , R2 and R3 - they are all separated by a PIX firewall.

Neighbors will not form. Can I get away with not configuring OSPF on the PIX ?

From R1 I can ping the outside interface of the PIX - Why is it that I cannot ping R1's interface from the PIX ?

From R2 I can also ping the inside interface of the PIX but not vice-versa.

I am still new to the PIX and I don't have a clue as to why this is not working.

Any help is much appreciated.

Thanks.

Paul

Here are the configs:

R1:

int e0

ip add 1.1.1.2 255.255.255.0

router ospf 1

network 1.1.1.0 0.0.0.255 area 0

R2:

int e0

ip add 10.0.0.2 255.0.0.0

router ospf 1

network 10.0.0.0 0.255.255.255 area 10

R3:

int e0

ip add 192.168.1.2 255.255.255.0

router ospf 1

network 192.168.1.0 0.0.0.255 area 192

PIX --------------------------------------------------

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

ip address outside 1.1.1.1 255.255.255.0 ip address inside 10.0.0.1 255.0.0.0 ip address dmz 192.168.1.1 255.255.255.0

static (inside,outside) 1.1.1.2 10.0.0.2 netmask 255.255.255.255 0 0 static (dmz,outside) 1.1.1.3 192.168.1.3 netmask 255.255.255.255 0 0

global (outside) 1 1.1.1.4-1.1.1.254

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

access-list 101 permit ospf any any

access-list 101 permit icmp any any

access-group 101 in interface outside

access-group 101 in interface inside

access-group 101 in interface dmz

sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)

alert-interval 300

access-list 101; 2 elements

access-list 101 line 1 permit ospf any any (hitcnt=0) access-list 101 line 2 permit icmp any any (hitcnt=0)

Re: PIX and OSPF

rais — Wed, 02 Jun 2004 08:54:35 GMT

I can't understand this command:

static (inside,outside) 1.1.1.2 10.0.0.2 netmask 255.255.255.255 0 0

You are translating to an address that is already being used by the router.

For OSPF, try using OSPF neighbor command in routers to explicitly specify the neighbor to which ospf LSAs should be sent.

Thanks.

Re: PIX and OSPF

ehirsel — Wed, 02 Jun 2004 09:58:57 GMT

The pix will not allow routing protocol updates to flow thru it, due to the multicast addresses being used. You could tunnel the OSPF advertisements between the routers using GRE, and modify the acl on the pix to permit the GRE protocol. An alternative would be to use the ospf neighbor command to modify the ospf packet to use ip unicast instead of multicast source and dest addresses. In that case the acls would change to: permit ip host router-source host router-dest.

If you want to run ospf on the pix, I refer you to the cisco web site for the pix 6.3 doc as using NAT does have implications on the ospf process.

Since the PIX is used as the gateway between all of the routers, unless there is a need to run OSPF between the routers directly, or between the routers and the pix, the route path is pretty clear cut:

The pix uses R1 as the default gateway, R3 for dmz hosts and R2 for inside hosts. R2 and R3 use the pix as the default gateway. R1 uses the pix for internal and dmz networks.