Pat,
What your asking for is similar to a previous thread about a month ago
regarding passing EIGRP updates through a PIX. EIGRP is similar to OSPF in
regards to the formation of neighbor relationships. For EIGRP you would do
this: (taken from my previous post)
-Tell outside router (172.16.1.3) its neighbor is 172.16.1.50
-Tell inside router (10.1.1.2) its neighbor is 10.1.1.5
-On PIX:
static (inside,outside) 172.16.1.50 10.1.1.2 netmask 255.255.255.255
alias (inside) 10.1.1.5 172.16.1.3
It's a little "hokey", but it does work. (yes, I tested this in my lab)
Obviously, you would substitute your own IP's for those above, but your
should get the idea.
HOWEVER, I don't think this will work for OSPF. I tried it when I was
playing around with the EIGRP config and it did not work. This may be due
to certain properties of the OSPF packets IP layer info. Specifically, I've
been told that the ttl is set to 1, so trying to pass updates through
firewalls won't work. I didn't get a chance to sniff the packets to see
exactly why the OSPF wasn't working and EIGRP updates were, but the ttl
field issue sounds like a reasonable explanation.
If your game, try the above config and see if OSPF will work.
HTH,
Kent
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
pat
Sent: Tuesday, October 30, 2001 2:42 PM
To: [EMAIL PROTECTED]
Subject: Re: OSPF across PIX [7:24608]
Thanks for your repply.
When I try to specify outside router as neighbor using
neighbor command
I get "OSPF: Neighbor address does not map to an
interface". How do I resolve
this issue ?
What do you mean by "If you are doing NAT then a
global and
nat combination need to represent the internal IP
addresses
to the outside network"...? Can you give can example?
I am doing NAT on firewall.
The Ip address are as follows
Inside router Ethernet 10.10.2.1
Firewall inside 10.10.2.1
Firewall outside 138.12.48.2
Outside Router ethernet 138.12.48.1
Thanks a lot for everybody's response.
--- "Engelhard M. Labiro"
wrote:
> Sorry, replying my own message.
> The access-list below assumes that you are able to
> use nat 0 command (no NAT translation will occur
> for the internal IP addressess to be seen from
> outside
> network). If you are doing NAT then a global and
> nat combination need to represent the internal IP
> addresses
> to the outside network, before applying the
> access-list below.
>
> Hope you get the idea.
>
> > Since OSPF uses IP protocol 89, permit this
> protocol between
> > the two OSPF routers with access-list applied at
> outside and inside
> > PIX interfaces, something like this:
> > access-list 101 permit 89 host 1.1.1.1 host
> 2.2.2.2
> > access-list 102 permit 89 host 2.2.2.2 host
> 1.1.1.1
> > access-group 101 interface inside
> > access-group 102 interface outside
> >
> > At the OSPF routers, put neighbour command, so
> they can speak
> > each other directly without multicasting the hello
> packets.
> >
> > Hope you get the idea.
> >
> > ----- Original Message -----
> > From: "pat"
> > To:
> > Sent: Tuesday, October 30, 2001 1:01 PM
> > Subject: OSPF across PIX [7:24608]
> >
> >
> > > Does anybody has any ideas on how to run OSPF
> across
> > > firewall. What ports to be open & how to make
> router
> > > esablish nighbour relations across firewall.
> > >
> > > Any thought on this will be greatly appriciated.
> > >
> > > Thanks,
> > > patterson.
> > >
> > >
> __________________________________________________
> > > Do You Yahoo!?
> > > Make a great connection at Yahoo! Personals.
> > > http://personals.yahoo.com
[EMAIL PROTECTED]
__________________________________________________
Do You Yahoo!?
Make a great connection at Yahoo! Personals.
http://personals.yahoo.com
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=24826&t=24608
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
