Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
646
Views
0
Helpful
4
Replies

OSPF routing on PIX

gsebk
Level 1
Level 1

‎04-07-2004 01:12 AM - edited ‎02-20-2020 11:19 PM

Hi all,

I'm not too familiar with the new OSPF routing function on ver. 6.3. I should solve that a few PIXs can advertise their inside subnets for the other PIXs. The firewalls are connected with their outside interface to the internet (PPPoE, ADSL). So the firewalls' outside interfaces have real public internet addresses, there are no routers that terminate the internet connections (since the connection is RJ45).

My question is: how could I manage to use OSPF among the firewalls on the internet? There is no "neighbor" command on the PIX. How could I manage that the PIXs build neighbor relationship only with each other?

0 Helpful
4 Replies 4

ehirsel
Level 6
Level 6

‎04-09-2004 05:20 AM

The following link should be useful for you:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm#1112559

This is the link to the pix 6.3.3 document that deals with establishing connectivity to and from the pix. There is some detailed examples of ospf configuration and some of the restrictions of running ospf on the pix, namely if you are using public and private addresses you will need to run two ospf processes so that you don't advertise your private addresses to public networks and vice versa.

To answer your last question, you will need to configure ospf authentication using md5 keys to protect your pixen from getting updates from invalid sources; all your pixen will need to use the same key. This is better than using neighbor as it provides protection against ip address spoofing.

To help answer your other question in detail, if the doc that I mentioned earler is not enough, can you provide a sample topology? In particular will all of the firewalls connect to the internet, or only some?

I hope this helps, Ed Hirsel

0 Helpful

gsebk
Level 1
Level 1
In response to ehirsel

‎04-09-2004 05:33 AM

Tahnks a lot for your answer.

All the PIX devices are connected to the internet directly.

The main problems are not the authentication and the spoofing but how will find the pix devices each other on the internet. That's why the neighbor function would be good. The other solution could be the GRE tunnelling and through the tunnels the OSPF could build neighbor relationships only with our desired PIX devices. Anyway the PIX doesn't support this feature.

So as I see, the OSPF function wasn't find out for standalone PIX configurations on the internet.

Regards,

Gabor

0 Helpful

scoclayton
Level 7
Level 7
In response to gsebk

‎04-09-2004 06:01 AM

Correct. The OSPF implementation in the PIX only supports multicast updates. As we know, most ISP's are going to block OSPF updates across their networks. PIX OSPF was designed for large enterprise customers that needed to add routing capabilities to PIX's in their network. Sorry if this is a problem.

Scott

0 Helpful

gsebk
Level 1
Level 1
In response to scoclayton

‎04-09-2004 11:54 AM

Scott, anyway it would be nice to have the possibility to push the OSPF traffic into a VPN tunnel. The enterprise customers that have multiple premises would appriciate this function.

Thanx for infos.

Regards,

Gabor

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card