OSPF through a firewall

mulhollandm · ‎02-23-2006

folks

i have 2 routers either side (inside and outside) of a symantec SGS firewall

the outside router connects to a third party network over a 100Mb ethernet circuit

the inside connects into my own corporate lan

i have the same setup replicated on a backup link which internal and external traffic will fail over to in the event of a link/router failure on the main link

my problem:

i'm trying to pass ospf over protocol number 89 through the firewall but i'm not having any joy

has anyone tried this?

has anyone any alternative ideas on some mechanism to ensure my internal router knows the external link/router is down?

thanks to anyone taking the time to reply

gratefully appreciated

pkhatri · ‎02-23-2006

Hi,

One possible issue I see is that OSPF packets are going to be using the 224.0.0.5/6 multicast addresses. You might want to configure the ospf network-type at both ends to be non-broadcast. That will make the routers use unicast packets which are more likely to get through.

Hope that helps - pls rate the post if it does.

Paresh

mheusinger · ‎02-23-2006

Hello Paresh,

I am not sure this will work, because of IP address issues:

R1(10.1.1.1) - (10.1.1.2)FW(192.168.1.2) - (192.168.1.1)R2

How, in this picture would R1 and R2 form an OSPF adjacency? And even if they could, how would the FW forward the IP packets, when not being part of the OSPF domain?

You could use GRE, but this defies the purpose of the FW.

To "see" Routers being avail/no avail. through a firewall I would use BGP. It will setup a TCP session on port 179 and the FW would see it as any other TCP session. In addition the routers need not be directly connected. It could look like this:

router bgp 65000

no synch

no auto-summary

neighbor 10.1.1.1 remote-as 65000

redistribute ospf 10 match internal external

Be careful however not to produce a routing loop with mutual redistribution, i.e. apply proper filters.

Also be careful with your FW IP routing not to introduce routing loops/"black holes" there.

Hope this helps! Please rate all posts.

Regards, Martin

pkhatri · ‎02-23-2006

You're right Martin... this is a lot more complicated than I initially thought !!

You could still possibly do it if you do a NAT in both directions so that (using your example) the packets from 10.1.1.1 appear on the other side as 192.168.1.x and vice versa...

As far as the firewall is concerned, it does not really have to be part of the OSPF domain as long as you statically configure the routes on either side. Which kinda defeats the purpose of a lot of this...

However, there are probably a lot more issues than I have not thought about yet :-)

Paresh

Harold Ritter · ‎02-23-2006

Another reason this will not work is that the TTL on the ospf packets is 1 and they would therefore die once they are decremented by the FW.

As Marting suggested, running BGP through the FW is a better option and is very commonly used.

Hope this helps,

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

mulhollandm · ‎02-28-2006

folks

many thanks for your help and good advice

i have been able to resolve the issue by upgrading my symantec sgs to v3 of its OS

this allows me to run ospf and process multicasts on individual interfaces so ihave established ospf neighbours with the routers on either side

as this is a dedicated router it doesn't have any routers on it to distribute and my inside router has a distribution list on it to ensure nothing else it passed to the exernal router

thanks again to all!