Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3784
Views
0
Helpful
2
Replies

routing between two firewalls

Go to solution
ohareka70
Level 3
Level 3

‎01-24-2013 12:30 PM - edited ‎03-04-2019 06:50 PM

Hello, 

Scenario: a managed service provider has two routers connected to our network at different datacentres for an external sharepoint project via an MPLS connection. 

Primary Site 1 - they have a router directly connected to our network on the outside of the firewall

Secondary Site 2 - they have a router directly connected to the firewall on the outside of our network


I need to be able to have routing between these two devices for failover purposes.  But my OSPF routing is only for routers/switches inside my network, ie inside both firewalls.

Any ideas how to do this?

It looks as if i am trying to connect a router on the DMZ of firewall-1 across our OSPF network to another router which also sits on the DMZ of firewall-2

PS - i have full access to both firewalls and the ospf network in between.

regards,

Kevin

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎01-25-2013 01:11 AM

Hello Kevin,

if your firewalls are running OSPF on their own inside interface all you need to do is to setup appropriate static routes on the firewalls.

On FW1 you configure a static route for reaching the locally connected sharepoint router. Then you redistribute the static route(s) into OSPF.

The same can be done on FW2 at the secondary site

This requires the following:

- FW inside interfaces have to run OSPF

- FW inside interfaces have to be part of a standard OSPF area or a NSSA area.

Similarly you could do the same on internal routers connected to the FW inside interfaces, if your FW are not running OSPF. You would need a set of static routes for the sharepoint router on that internal router with next-hop the FW inside interface, and then to redistribute them into OSPF.

However, an issue is still open: if you don't control the sharepoint routers how to tell them of the backup path via your internal network?

If so you have to work with SP people to have them configure floating static routes pointing to your  FW DMZ or outside interface address so that when the MPLS link fails they will use the path via your internal network.

I would not consider extending OSPF to the sharepoint routers as it means running OSPF on your DMZ/outside interface for security reasons.

In addition to routing both FWs need configuration to permit traffic from their DMZ/outside to inside between the sharepoint routers.

Hope to help

Giuseppe

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎01-25-2013 01:11 AM

Hello Kevin,

if your firewalls are running OSPF on their own inside interface all you need to do is to setup appropriate static routes on the firewalls.

On FW1 you configure a static route for reaching the locally connected sharepoint router. Then you redistribute the static route(s) into OSPF.

The same can be done on FW2 at the secondary site

This requires the following:

- FW inside interfaces have to run OSPF

- FW inside interfaces have to be part of a standard OSPF area or a NSSA area.

Similarly you could do the same on internal routers connected to the FW inside interfaces, if your FW are not running OSPF. You would need a set of static routes for the sharepoint router on that internal router with next-hop the FW inside interface, and then to redistribute them into OSPF.

However, an issue is still open: if you don't control the sharepoint routers how to tell them of the backup path via your internal network?

If so you have to work with SP people to have them configure floating static routes pointing to your  FW DMZ or outside interface address so that when the MPLS link fails they will use the path via your internal network.

I would not consider extending OSPF to the sharepoint routers as it means running OSPF on your DMZ/outside interface for security reasons.

In addition to routing both FWs need configuration to permit traffic from their DMZ/outside to inside between the sharepoint routers.

Hope to help

Giuseppe

0 Helpful

Go to solution
ohareka70
Level 3
Level 3
In response to Giuseppe Larosa

‎01-25-2013 02:59 AM

Giuseppe,

Thanks for the advice.  We dont use OSPF on the firewall interfaces anymore but I will give it a go using the static routes.

good advice,

regards,

Kevin

0 Helpful
Customers Also Viewed These Support Documents