cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1130
Views
0
Helpful
4
Replies

Passing OSPF routing -- R1 --> Checkpoint FW -- R2

metzj
Level 1
Level 1

What would be the best way to configure OSPF Routing to pass from R1 thru Checkpoint FW to R2 without establishing a GRE Tunnel. I have attmepted this via ethernet interfaces configured with "ip ospf network non-broadcast" command. Specifying neigbhor commands in the OSPF process. Also we are using secondary ip address. I have attached the configs of the two routers. So far All I get on R2 is attempt/drother. Any suggestions are most welcome.

4 Replies 4

Harold Ritter
Level 12
Level 12

Joel,

As far as I know, you will only be able to get an adjacency between R1 and R2 if you configure the transparent mode on the Checkpoint FW1 platform. I know this is the case when you use a Cisco FW service module (FWSM).

In routed mode, you will simply not be able to achieve that as the OSPF packets are sent with a TTL of 1 and decremented on the Checkpoint device.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Thank You "hritter" I appreciate the insight with our problem. What is the best way to route through a firewall with a Cisco router on each side.

Thank You

Joel,

As mentioned in my previous post, the best way would probably be to use the transparent mode on the Checkpoint FW-1 device, which would allow you to have an adjacency between R1 and R2.

If you don't want to go from routed to transparent mode, then I would recommend to run BGP through the FW and to redistribute between OSPF and BGP on either side.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Joel,

Are you trying to run OSPF with the Checkpoint firewall? I've done this and it worked well. There was an FWSM on the inside and a 2600 router on the outside.

If not, what's your reason for not letting the Checkpoint participate in OSPF?

Keith

Co-Founder LinuxDynasty

http://www.linuxdynasty.org

http://www.linuxdynasty.com

Review Cisco Networking for a $25 gift card