09-30-2003 06:35 AM - edited 02-20-2020 11:01 PM
my question is if both of the Networks that our PIX (506E,ver 6.3)is sitting between are running EIGRP do I need to do anything to the ports on the routers that connect to the PIX? Like setting those ports to passive listening?
09-30-2003 07:03 AM
I am not sure whether PIX SecureOS 6.3 will pass EIGRP multicast traffic or not, but I know for sure ver 6.2 and older won't.
The way we used to do it in such cases is to build a tunnel across the PIX between the two routers in question.
09-30-2003 07:14 AM
Right, I guess a better wording of my question would be is "how do I turn off the EIGRP updates on the routers that connect to the PIX"?
I plan on entering static IPs into the PIX to move the traffic through it but don't want to get errors with EIGRP updates.
09-30-2003 08:34 AM
Do you mean "passive-interface"? If you want to turn off the EIGRP announcements from the routers themselves, just configure your interface as a passive-interface (under your router eigrp xxx configuration)
09-30-2003 08:51 AM
Ah, yes that is what I meant. Thank You!! But you made a good point in regards to tunneling eigrp through the pix. Since it sounds like that is what you have done, would you recomend doing that over passive-interface on the routers that connect to the pix?
09-30-2003 02:54 PM
Oh yea.. you can make the router ethernet (the one connected with the PIX) as a passive interface and you exchange EIGRP routing info through the tunnel interface, ethernet in this case will not interfere in EIGRP at all.
11-24-2003 12:38 AM
Hello,
Technically, you can run EIGRP through PIX without tunneling on ver 6.2. The PIX will pass the multicast updates if you set up the PIX correctly.
You can do this in two different ways. First by using double nat on the PIX and second without using double net - just one to one networks.
Just FYI.
thanks - Jeff
11-24-2003 01:49 PM
you could just configure the two EIGRP routers to use the neighbor statement so they can talk to one another using unicast messages. Bear in mind that the only reason it works is that EIGRP uses a TTL of 2.
Quite frankly though, I would really prefer running BGP between the two routers on each side of the firewall and then redistribute in EIGRP. This is probably a better design.
12-24-2003 04:00 AM
I would agree. GRE tunnels tend to defeat the object of having a firewall in the first place. BGP is the most robust option.
Depending on your network topology, the PIX may need to learn these routes too though. You could redistribute EIGRP into RIPv2 on your routers and have the PIX learn those routes? All sounds a bit messy to me though...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide