Re: Passing OSPF routing -- R1 --> Checkpoint FW -- R2

metzj · ‎05-20-2008

What would be the best way to configure OSPF Routing to pass from R1 thru Checkpoint FW to R2 without establishing a GRE Tunnel. I have attmepted this via ethernet interfaces configured with "ip ospf network non-broadcast" command. Specifying neigbhor commands in the OSPF process. Also we are using secondary ip address. I have attached the configs of the two routers. So far All I get on R2 is attempt/drother. Any suggestions are most welcome.

Harold Ritter · ‎05-20-2008

Joel,

As far as I know, you will only be able to get an adjacency between R1 and R2 if you configure the transparent mode on the Checkpoint FW1 platform. I know this is the case when you use a Cisco FW service module (FWSM).

In routed mode, you will simply not be able to achieve that as the OSPF packets are sent with a TTL of 1 and decremented on the Checkpoint device.

Regards,

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

metzj · ‎05-20-2008

Thank You "hritter" I appreciate the insight with our problem. What is the best way to route through a firewall with a Cisco router on each side.

Thank You

Harold Ritter · ‎05-20-2008

Joel,

As mentioned in my previous post, the best way would probably be to use the transparent mode on the Checkpoint FW-1 device, which would allow you to have an adjacency between R1 and R2.

If you don't want to go from routed to transparent mode, then I would recommend to run BGP through the FW and to redistribute between OSPF and BGP on either side.

Regards,

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

kshortdynasty · ‎05-20-2008

Joel,

Are you trying to run OSPF with the Checkpoint firewall? I've done this and it worked well. There was an FWSM on the inside and a 2600 router on the outside.

If not, what's your reason for not letting the Checkpoint participate in OSPF?

Keith

Co-Founder LinuxDynasty

http://www.linuxdynasty.org

http://www.linuxdynasty.com