cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
910
Views
0
Helpful
8
Replies

PIX & EIGRP Networks

stevem
Level 1
Level 1

my question is if both of the Networks that our PIX (506E,ver 6.3)is sitting between are running EIGRP do I need to do anything to the ports on the routers that connect to the PIX? Like setting those ports to passive listening?

8 Replies 8

osam
Level 1
Level 1

I am not sure whether PIX SecureOS 6.3 will pass EIGRP multicast traffic or not, but I know for sure ver 6.2 and older won't.

The way we used to do it in such cases is to build a tunnel across the PIX between the two routers in question.

Right, I guess a better wording of my question would be is "how do I turn off the EIGRP updates on the routers that connect to the PIX"?

I plan on entering static IPs into the PIX to move the traffic through it but don't want to get errors with EIGRP updates.

Do you mean "passive-interface"? If you want to turn off the EIGRP announcements from the routers themselves, just configure your interface as a passive-interface (under your router eigrp xxx configuration)

Ah, yes that is what I meant. Thank You!! But you made a good point in regards to tunneling eigrp through the pix. Since it sounds like that is what you have done, would you recomend doing that over passive-interface on the routers that connect to the pix?

Oh yea.. you can make the router ethernet (the one connected with the PIX) as a passive interface and you exchange EIGRP routing info through the tunnel interface, ethernet in this case will not interfere in EIGRP at all.

Hello,

Technically, you can run EIGRP through PIX without tunneling on ver 6.2. The PIX will pass the multicast updates if you set up the PIX correctly.

You can do this in two different ways. First by using double nat on the PIX and second without using double net - just one to one networks.

Just FYI.

thanks - Jeff

you could just configure the two EIGRP routers to use the neighbor statement so they can talk to one another using unicast messages. Bear in mind that the only reason it works is that EIGRP uses a TTL of 2.

Quite frankly though, I would really prefer running BGP between the two routers on each side of the firewall and then redistribute in EIGRP. This is probably a better design.

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

I would agree. GRE tunnels tend to defeat the object of having a firewall in the first place. BGP is the most robust option.

Depending on your network topology, the PIX may need to learn these routes too though. You could redistribute EIGRP into RIPv2 on your routers and have the PIX learn those routes? All sounds a bit messy to me though...

Review Cisco Networking for a $25 gift card