Pat, What your asking for is similar to a previous thread about a month ago regarding passing EIGRP updates through a PIX. EIGRP is similar to OSPF in regards to the formation of neighbor relationships. For EIGRP you would do this: (taken from my previous post)
-Tell outside router (172.16.1.3) its neighbor is 172.16.1.50 -Tell inside router (10.1.1.2) its neighbor is 10.1.1.5 -On PIX: static (inside,outside) 172.16.1.50 10.1.1.2 netmask 255.255.255.255 alias (inside) 10.1.1.5 172.16.1.3 It's a little "hokey", but it does work. (yes, I tested this in my lab) Obviously, you would substitute your own IP's for those above, but your should get the idea. HOWEVER, I don't think this will work for OSPF. I tried it when I was playing around with the EIGRP config and it did not work. This may be due to certain properties of the OSPF packets IP layer info. Specifically, I've been told that the ttl is set to 1, so trying to pass updates through firewalls won't work. I didn't get a chance to sniff the packets to see exactly why the OSPF wasn't working and EIGRP updates were, but the ttl field issue sounds like a reasonable explanation. If your game, try the above config and see if OSPF will work. HTH, Kent -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of pat Sent: Tuesday, October 30, 2001 2:42 PM To: [EMAIL PROTECTED] Subject: Re: OSPF across PIX [7:24608] Thanks for your repply. When I try to specify outside router as neighbor using neighbor command I get "OSPF: Neighbor address does not map to an interface". How do I resolve this issue ? What do you mean by "If you are doing NAT then a global and nat combination need to represent the internal IP addresses to the outside network"...? Can you give can example? I am doing NAT on firewall. The Ip address are as follows Inside router Ethernet 10.10.2.1 Firewall inside 10.10.2.1 Firewall outside 138.12.48.2 Outside Router ethernet 138.12.48.1 Thanks a lot for everybody's response. --- "Engelhard M. Labiro" wrote: > Sorry, replying my own message. > The access-list below assumes that you are able to > use nat 0 command (no NAT translation will occur > for the internal IP addressess to be seen from > outside > network). If you are doing NAT then a global and > nat combination need to represent the internal IP > addresses > to the outside network, before applying the > access-list below. > > Hope you get the idea. > > > Since OSPF uses IP protocol 89, permit this > protocol between > > the two OSPF routers with access-list applied at > outside and inside > > PIX interfaces, something like this: > > access-list 101 permit 89 host 1.1.1.1 host > 2.2.2.2 > > access-list 102 permit 89 host 2.2.2.2 host > 1.1.1.1 > > access-group 101 interface inside > > access-group 102 interface outside > > > > At the OSPF routers, put neighbour command, so > they can speak > > each other directly without multicasting the hello > packets. > > > > Hope you get the idea. > > > > ----- Original Message ----- > > From: "pat" > > To: > > Sent: Tuesday, October 30, 2001 1:01 PM > > Subject: OSPF across PIX [7:24608] > > > > > > > Does anybody has any ideas on how to run OSPF > across > > > firewall. What ports to be open & how to make > router > > > esablish nighbour relations across firewall. > > > > > > Any thought on this will be greatly appriciated. > > > > > > Thanks, > > > patterson. > > > > > > > __________________________________________________ > > > Do You Yahoo!? > > > Make a great connection at Yahoo! Personals. > > > http://personals.yahoo.com [EMAIL PROTECTED] __________________________________________________ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=24886&t=24608 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]