https://community.cisco.com/t5/network-security/routing-ospf-through-pix/m-p/605#M689459 <HTML><HEAD></HEAD><BODY><P>I assume you are doing this for load-balancing or redundancy or both. I would highly recommend going with BGP as opposed to OSPF or any other IGP. BGP is easy to get through the Pix and you can control all of the route updates.</P></BODY></HTML> Mon, 30 Oct 2000 21:38:22 GMT cdbush 2000-10-30T21:38:22Z https://community.cisco.com/t5/network-security/routing-ospf-through-pix/m-p/601#M689455 <P>I have a need to route OSPF through a PIX firewall. We are using 7000 routers on either side of the firewall and are not using NAT. What are the options, if any, to pass OSPF routing updates?</P> Fri, 21 Feb 2020 05:46:24 GMT https://community.cisco.com/t5/network-security/routing-ospf-through-pix/m-p/601#M689455 8dpurkey 2020-02-21T05:46:24Z https://community.cisco.com/t5/network-security/routing-ospf-through-pix/m-p/602#M689456 <HTML><HEAD></HEAD><BODY><P>Well, this is something I wouldn't recommend trying. There are numerous security reasons to avoid running routing protocols through a PIX. I'd suggest just putting both routers in using IOS firewall and configure your OSPF as usual. Since your PIX doesn't participate in the routing, the hop will adversely affect it. I've heard some people are doing it with IGRP, but I know Cisco doesn't support it. Has anybody tried this?</P></BODY></HTML> Wed, 25 Oct 2000 15:53:58 GMT https://community.cisco.com/t5/network-security/routing-ospf-through-pix/m-p/602#M689456 wdrootz 2000-10-25T15:53:58Z https://community.cisco.com/t5/network-security/routing-ospf-through-pix/m-p/603#M689457 <HTML><HEAD></HEAD><BODY><P>I recommend that you carefully evaluate your need for OSPF through a firewall, and see if there isn't another option. It's not that it can't be done. It can, but you create unnecessary security risks by doing so. </P><P>The first question I would ask is this: If you don't trust the people on the other side of your firewall, why are you trusting the routing advertisements they send you? They could advertise incorrect routes and bring down your network. It's a powerful denial-of-service attack.</P><P>In order to let OSPF through the PIX, you have to create a GRE tunnel through it and run OSPF through the tunnel. I think this is a pretty big hole through the PIX.</P><P>Another option is to run BGP across the PIX and redistribute on both ends. This lets you control what routes you advertise, and more importantly, what routes you accept. You can filter so that you don't accept routing advertisements for networks on your side of the PIX, nor advertise networks that don't belong to you.</P><P>Another advantage is that you only have to open one TCP port for BGP and then only to the peer addresses -- a relatively small hole.</P><P></P></BODY></HTML> Thu, 26 Oct 2000 19:35:29 GMT https://community.cisco.com/t5/network-security/routing-ospf-through-pix/m-p/603#M689457 rtrunk 2000-10-26T19:35:29Z https://community.cisco.com/t5/network-security/routing-ospf-through-pix/m-p/604#M689458 <HTML><HEAD></HEAD><BODY><P>OSPF requires adjacency. Why not try a GRE or IPSEC tunnel from router to router?</P></BODY></HTML> Thu, 26 Oct 2000 19:37:20 GMT https://community.cisco.com/t5/network-security/routing-ospf-through-pix/m-p/604#M689458 jtiso 2000-10-26T19:37:20Z https://community.cisco.com/t5/network-security/routing-ospf-through-pix/m-p/605#M689459 <HTML><HEAD></HEAD><BODY><P>I assume you are doing this for load-balancing or redundancy or both. I would highly recommend going with BGP as opposed to OSPF or any other IGP. BGP is easy to get through the Pix and you can control all of the route updates.</P></BODY></HTML> Mon, 30 Oct 2000 21:38:22 GMT https://community.cisco.com/t5/network-security/routing-ospf-through-pix/m-p/605#M689459 cdbush 2000-10-30T21:38:22Z