Re: Pix 6.3 and OSPF routes

akohli · ‎05-16-2003

I have turned on OSPF on the PIX. I have two different areas - 100 on the outside and area 0 on the inside. But, the routes from the inside are showing on the dmz routers. Is there any command on the pix to stop you from doing this?

owillins · ‎05-22-2003

The PIX firewall would have to be configured as an ABR with NAT enabled on the inside interface, NAT disabled on the DMZ, and all interfaces running OSPF in order to filter Type 3 LSAs. Guess you have configured it as an ASBR in which case the routes would be seen on the DMZ also. For the configuration details, use the information in the following document:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm#1112847

akohli · ‎05-23-2003

HI,

Thanks for the config. It is something to what I was looking for. I am having a little difficulty understanding how the filter list makes the inside area an ABR. In my network the situation is reveresed. I have area 0 which is on the inside, and area 100 on the outside. Everything on the inside gets NAT'd to the outside. If I was to place a prefix-list on area 100, then I presume I would have to say something like

ip add outside x.x.x.0 / 24

ip add inside y.y.y.0 / 24

router ospf 1

area 100 filter-list prefix ten out

prefix-list ten deny y.y.y.0/24

prefix-list ten permit x.x.x.0/24 {as there is a second backup pix on the same segment for failover - these are 506E}

Am I correct in the assumption? I presume this would prevent the inside networks from being advertised to area 100 on the outside?

paulo.roque · ‎05-23-2003

Hi,

I think you can't filter a route from being advertised in link-state routing protocols, since they do not exchange route, they exchange topology database from which the routes are calculated. In a OSPF router you can't do that. But you can filter routes incoming routes, that is, the route will be present in topology database, but will not be put in the routing table.

Paulo