topic Re: PIX default and RIP routing in Network Security

PIX default and RIP routing

TOM EVANS — Fri, 21 Feb 2020 06:24:07 GMT

Is there any way that I can use my RIP learned route from my outside interface and proagate that default route out my inside interface? The inside default command will just send a default route to my inside router even if the PIX does not have a default route. My goal is to have the router on the inside of the PIX get a dynamic default route and then have that route go away when my router on the outside interface of the PIX goes away.

The only other way I know would be to use BGP but, I would rather not go there since I do not have an AS and I do not have control of the outside routers.

Thank-you

Re: PIX default and RIP routing

fabios — Wed, 27 Nov 2002 19:36:42 GMT

PIX is not a router.

Unfortunately PIX does not know how to handle routing updates (and rightfully so, since this is a security risk).

Is the PIX protected network a stub network? If so all its hosts (including routers) will have as a default gw the inside interface IP address removing the need for dynamic routing on the inside.

If not (i.e. you have multiple connections to the outside) each of them should be firewalled and you definitely need to apply for an AS and run BGP.

Fabio Sardone

Re: PIX default and RIP routing

bdube — Fri, 29 Nov 2002 02:06:20 GMT

From the following reference about the PIX :

http://www.cisco.com/en/US/customer/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a00800b6f0e.html

"Both the inside and perimeter networks are protected with the PIX Firewall's Adaptive Security Algorithm (ASA). The inside, perimeter, and outside interfaces can listen to RIP routing updates, and all interfaces can broadcast a RIP default route if required."

Also from the same reference:

"RIP Version 2

Routing Information Protocol (RIP) version 2 provides MD5 authentication of encryption keys. The PIX Firewall only listens in passive mode and/or broadcasts a default route. The PIX Firewall supports Cisco IOS software standards, which conform to RFC 1058, RFC 1388, and RFC 2082 of RIPv2 with text and keyed MD5 authentication. The PIX Firewall supports one key and key ID per interface. While the key has an infinite lifetime, for best security, you should change the key every two weeks or sooner."

And from the following reference :

http://www.cisco.com/en/US/customer/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a00800eb71e.html

You have the most interesting part:

"Overview

Each inside or perimeter PIX Firewall interface is configurable for route and Routing Information Protocol (RIP) information. To determine what route information is required, consider what routers are in use in your network and are adjacent to the planned installation point of the PIX Firewall.

Specifying a route tells the PIX Firewall where to send information that is forwarded on a specific interface and destined for a particular network address. You can specify more than one route per interface, which lets you control where to send network traffic. Refer to the routecommand page in the Cisco PIX FirewallCommand Referencefor more information.

The PIX Firewall learns where everything is on the network by "passively" listening for RIP network traffic. When the PIX Firewall interface receives RIP traffic, the PIX Firewall updates its routing tables. You can also configure the PIX Firewall to broadcast an inside or perimeter interface as a "default" route. Broadcasting an interface as a default route is useful if you want all network traffic on that interface to go out through that interface. Refer to the ripcommand page in the Cisco PIX FirewallCommand Referencefor configuration information."

I hope it helps you

Regards

Benoit

Re: PIX default and RIP routing

TOM EVANS — Fri, 29 Nov 2002 15:37:00 GMT

Thanks for yor reply but, I should be able to use a private AS # between Ethernets on the outside internet router and inside router. I can put a static route with my serial interface on the internet router and redistribute the static into BGP and send that through the PIX (port 179), NAT on the PIX and then put a static route to my public address on the inside router. This should at least eliminate the need for a public AS.