Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2999
Views
0
Helpful
4
Replies

Routing OSPF through PIX

8dpurkey
Level 1
Level 1

‎10-17-2000 05:51 PM - edited ‎02-20-2020 09:46 PM

I have a need to route OSPF through a PIX firewall. We are using 7000 routers on either side of the firewall and are not using NAT. What are the options, if any, to pass OSPF routing updates?

0 Helpful
4 Replies 4

wdrootz
Level 4
Level 4

‎10-25-2000 08:53 AM

Well, this is something I wouldn't recommend trying. There are numerous security reasons to avoid running routing protocols through a PIX. I'd suggest just putting both routers in using IOS firewall and configure your OSPF as usual. Since your PIX doesn't participate in the routing, the hop will adversely affect it. I've heard some people are doing it with IGRP, but I know Cisco doesn't support it. Has anybody tried this?

0 Helpful

rtrunk
Level 1
Level 1

‎10-26-2000 12:35 PM

I recommend that you carefully evaluate your need for OSPF through a firewall, and see if there isn't another option. It's not that it can't be done. It can, but you create unnecessary security risks by doing so.

The first question I would ask is this: If you don't trust the people on the other side of your firewall, why are you trusting the routing advertisements they send you? They could advertise incorrect routes and bring down your network. It's a powerful denial-of-service attack.

In order to let OSPF through the PIX, you have to create a GRE tunnel through it and run OSPF through the tunnel. I think this is a pretty big hole through the PIX.

Another option is to run BGP across the PIX and redistribute on both ends. This lets you control what routes you advertise, and more importantly, what routes you accept. You can filter so that you don't accept routing advertisements for networks on your side of the PIX, nor advertise networks that don't belong to you.

Another advantage is that you only have to open one TCP port for BGP and then only to the peer addresses -- a relatively small hole.

0 Helpful

jtiso
Level 1
Level 1

‎10-26-2000 12:37 PM

OSPF requires adjacency. Why not try a GRE or IPSEC tunnel from router to router?

0 Helpful

cdbush
Level 1
Level 1

‎10-30-2000 01:38 PM

I assume you are doing this for load-balancing or redundancy or both. I would highly recommend going with BGP as opposed to OSPF or any other IGP. BGP is easy to get through the Pix and you can control all of the route updates.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card