Right, I guess a better wording of my question would be is "how do I turn off the EIGRP updates on the routers that connect to the PIX"?

I plan on entering static IPs into the PIX to move the traffic through it but don't want to get errors with EIGRP updates.

Do you mean "passive-interface"? If you want to turn off the EIGRP announcements from the routers themselves, just configure your interface as a passive-interface (under your router eigrp xxx configuration)

Ah, yes that is what I meant. Thank You!! But you made a good point in regards to tunneling eigrp through the pix. Since it sounds like that is what you have done, would you recomend doing that over passive-interface on the routers that connect to the pix?

Oh yea.. you can make the router ethernet (the one connected with the PIX) as a passive interface and you exchange EIGRP routing info through the tunnel interface, ethernet in this case will not interfere in EIGRP at all.

Hello,

Technically, you can run EIGRP through PIX without tunneling on ver 6.2. The PIX will pass the multicast updates if you set up the PIX correctly.

You can do this in two different ways. First by using double nat on the PIX and second without using double net - just one to one networks.

Just FYI.

thanks - Jeff

you could just configure the two EIGRP routers to use the neighbor statement so they can talk to one another using unicast messages. Bear in mind that the only reason it works is that EIGRP uses a TTL of 2.

Quite frankly though, I would really prefer running BGP between the two routers on each side of the firewall and then redistribute in EIGRP. This is probably a better design.

I would agree. GRE tunnels tend to defeat the object of having a firewall in the first place. BGP is the most robust option.

Depending on your network topology, the PIX may need to learn these routes too though. You could redistribute EIGRP into RIPv2 on your routers and have the PIX learn those routes? All sounds a bit messy to me though...