Hello all,

We have ASA5510 at our perimeter and is running OSPF on inside interface.

1.  Iam planning to add DMZ and adding th DMZ subnet also to OSPF process for advertising the DMZ dynanmically into network.

Any security risks?

2. Near future we will add BGP and a perimeter router (Internet router) with Dual ISPs and to advertise the default route from Internet router to OSPF domain- Planning to enable OSPF between Internet router and ASA outside interface and redistribute BGP into OSPF. Would like to know the security risks in doing so. Please suggest. Sample configs below for step1 & 2.

Current:

ASA:

inter Eth0/1

nameif inside

ip address 10.10.10.1 255.255.255.0

!

inter Eth0/0

nameif outside

ip address 67.27.36.194 255.255.255.248

!

router ospf 100

network 10.10.10.1 255.255.255.255

!

route outside 0.0.0.0 0.0.0.0 (nexthop IP)

ASA after DMZ:

inter Eth0/2

nameif DMZ

ip address 192.168.40.1 255.255.255.0

!

router ospf 100

network 10.10.10.1 255.255.255.255

network 192.168.40.1 255.255.255.255

!

ASA with internet router/BGP:

inter Eth0/0

nameif outside

ip address 7.7.7.10 255.255.255.0

!

router ospf 100

network 10.10.10.1 255.255.255.255

network 192.168.40.1 255.255.255.255

network 7.7.7.10 255.255.255.255

!

Remove the default route

Internet router:

Inter gig0/1

des: to ISP

ip addess 20.20.20.1 255.255.255.252

!

Inter gig0/1

des: to ASA

ip addess 7.7.7.5 255.255.255.0

!

router ospf 100

router id 7.7.7.5

network 7.7.7.5 255.255.255.255

redistribute BGP <default route>

!

router bgp 64345

neighbor < > remote-as <>

network 7.7.7.0 mask 255.255.255.0

!

Thanks in Advance

MS