Re: IOS Firewall & OSPF

rrbbruno · ‎12-19-2001

Hi all,

We want to interconnect a new branch (with cisco 3640,IOS firewall,8 ethernet) with our central site.

With this 3640 (branch), we intend to set OSPF just for the WAN interface.

I can't see sample like that in cisco website. Does firewall work with ospf ?

Does anybody have a problem with this architecture ?

Need advice please.

Bruno

rrbleeker · ‎12-20-2001

The PIX does not support OSPF. In your central site, you can use a static route, and redistribute it in OSPF.

pmoulay · ‎12-21-2001

The pix firewall will work with OSPF as long as your access-list allows it,i.d conduit permit ospf any any

or access-l 101 permit ospf any any + access-group 101 in interface outside.

However, we do not recommend running any routing updates through the pix firewall. Configure a static route on your 3640 router and redistribute in your ospf domain. Another way to do it is to tunnel traffic from your 3640 router to another router behind your branch PIX. That way you can GRE your ospf traffic. Make sure GRE is open between the two routers. My 2 cents. PIX guru:)

subaa · ‎12-27-2001

Hi,

I have a question about your "ospf on a pix" issue. If you configure the "access-list 101 permit ospf any any" on the OUTSIDE will the OSPF packets go to every higher security interfaces? Since they are multicasts they should, but I would be pretty surprised... Besides, what is the 2 any statements in that ACL?

In fact I would use OSPF over NBMA mode, although you are absolutely right: it is better not to let updates through the PIX.

Thanx,

Attila Suba