Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2238
Views
5
Helpful
1
Replies

OSPF hello not passed through transparent firewall

jorg.ramakers
Level 1
Level 1

‎02-23-2012 02:18 AM - edited ‎03-11-2019 03:34 PM

Hi,

We have a transparent firewall (fwsm) between 2 ospf neighbors.

Although the ospf neighorship is formed and the ospf neighors are placed in FULL state the neighborship is teared down after dead timer expires.

It seems to me that ospf hello is not passed through firewall.

To make sure all traffic is allowed, i opened ip instead of ip protocol 89 in access-list.

The firewall permit rule is allowing

access-list outside_access_in line 4 extended permit ip host <ip outside vlan ip 1> host 224.0.0.5

access-list outside_access_in line 5 extended permit ip host <ip outside vlan ip 1> host 224.0.0.6

access-list outside_access_in line 6 extended permit ip host <ip outside vlan ip 1> host <ip inside host ip 1>

access-list outside_access_in line 7 extended permit ip host <ip outside vlan ip 1> host <ip inside host ip 2>

access-list outside_access_in line 8 extended permit ip host <ip outside vlan ip 1> host <inside loopback host>

access-list outside_access_in line 9 extended permit ip host <ip outside vlan ip 2> host 224.0.0.5

access-list outside_access_in line 10 extended permit ip host <ip outside vlan ip 2> host 224.0.0.6

access-list outside_access_in line 11 extended permit ip host <ip outside vlan ip 2> host <ip inside host ip 1>

access-list outside_access_in line 12 extended permit ip host <ip outside vlan ip 2> host <ip inside host ip 2>

access-list outside_access_in line 13 extended permit ip host <ip outside vlan ip 2> host <inside loopback host>

access-list outside_access_in line 14 extended permit ip host 224.0.0.5 host 224.0.0.5

access-list outside_access_in line 15 extended permit ip host 224.0.0.5 host 224.0.0.6

access-list outside_access_in line 16 extended permit ip host 224.0.0.5 host <ip inside host ip 1>

access-list outside_access_in line 17 extended permit ip host 224.0.0.5 host <ip inside host ip 2>

access-list outside_access_in line 18 extended permit ip host 224.0.0.5 host <inside loopback host> 

access-list outside_access_in line 19 extended permit ip host 224.0.0.6 host 224.0.0.5

access-list outside_access_in line 20 extended permit ip host 224.0.0.6 host 224.0.0.6

access-list outside_access_in line 21 extended permit ip host 224.0.0.6 host <ip inside host ip 1>

access-list outside_access_in line 22 extended permit ip host 224.0.0.6 host <ip inside host ip 2>

access-list outside_access_in line 23 extended permit ip host 224.0.0.6 host <inside loopback host>

access-list outside_access_in line 24 extended permit ip host <router id 1> host 224.0.0.5 

access-list outside_access_in line 25 extended permit ip host <router id 1> host 224.0.0.6

access-list outside_access_in line 26 extended permit ip host <router id 1> host <ip inside host ip 1>

access-list outside_access_in line 27 extended permit ip host <router id 1> host <ip inside host ip 2>

access-list outside_access_in line 28 extended permit ip host <router id 1> host <inside loopback host>

access-list outside_access_in line 29 extended permit ip host <router id 2> host 224.0.0.5

access-list outside_access_in line 30 extended permit ip host <router id 2> host 224.0.0.6

access-list outside_access_in line 31 extended permit ip host <router id 2> host <ip inside host ip 1>

access-list outside_access_in line 32 extended permit ip host <router id 2> host <ip inside host ip 2>

access-list outside_access_in line 33 extended permit ip host <router id 2> host <inside loopback host>

Inside is same access-list permit from inside to outside.

The weird thing is the neighborships are placed in FULL state, after the dead time is expired, the ospf is going from INIT to Full state again, till dead timer expires.

Anyone an idea?

Best regards

J

Labels:
0 Helpful
1 Reply 1

ajay chauhan
Level 7
Level 7

‎02-23-2012 04:37 AM

You ACLs should look like-

For OSPF:

access-list inside permit ospf host ( inside source ) host 224.0.0.5 
( this access-list is for hello packets ) 
access-list inside permit ospf host ( inside source ) host 224.0.0.6 
( dr send update on this port ) 
access-list inside permit ospf host ( inside source ) host ( outside source ) 
access-group inside in interface inside
 access-list outside permit ospf host ( outside source ) host 224.0.0.5 
access-list outside permit ospf host ( outside source ) host 224.0.0.6 
access-list outside permit ospf host ( outside sourec ) host ( inside source ) 
access-group outside in interafce outside
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card