Resolution

The PIX Firewall knows how many hops are needed to reach a certain destination, but it cannot advertise this information. The PIX does not support a command nor configuration settings to advertise global addresses or networks outside of the interface to which the global pool is bound. The workaround for this issue is to add routes either on the PIX or on the upstream device, and redistribute routes.

To redisribute routes, you must configure Open Shortest Path First (OSPF) on the PIX. OSPF provides support for configuring the PIX as an Autonomous System Border Router (ASBR), with route redistribution between OSPF processes including OSPF, static, and connected routes.

Note: OSPF is supported on PIX versions 6.3 and later. It is also supported on all 500 series platforms except the PIX 501. The OSPF functionality in PIX version 6.3 is similar to that provided by Cisco IOS  Software Release 12.2(3a).

When Network Address Translation (NAT) is used and OSPF operates on public and private areas, run two OSPF processes to prevent the advertising of private networks in public areas. This allows the use of NAT and OSPF without advertising private networks, as shown in this example:

  ip address outside 1.1.1.1 255.255.255.0 
         ip address inside 10.0.0.1 255.0.0.0 
  router ospf 1 
    network 1.1.1.0 255.255.255.0 area 0 
  router ospf 2 
    redistribute ospf 1 
    network 10.0.0.0 255.0.0.0 area 10.0.0.0 

For more information, refer to the Configuring OSPF on the PIX Firewall section of Establishing Connectivity.