Re: PIX and OSPF updates

Fri, 29 Mar 2002 12:59:33 -0800 

Burke,

What have you attempted so far in order to resolve and on which 
devices, the PIX or upstream/downstream router?

The PIX doesn't support dynamic routing protocols such as OSPF, only static/default 
routes.  
To me this would seem good so the PIX is dedicated to security (stateful 
inspection/packet 
filtering) and then allow the router to make the intelligent routing 
decisions.

In order to allow the OSPF updates to pass through the PIX, you need to 
configure the routers to redistribute[1] the static routes received from 
the PIX into OSPF.  Concentrate on what is being received from the PIX on the 
routers, and less on the PIX configuration.  

Without more information on the network topology and security 
requirements, it's difficult to say for sure what you need to do on the 
other routers.  You could do a configuration like this [2] for two 
networks to connect between the PIX, but that is for a static route on the 
routers.  If you go with OSPF, then you definitely need to redistribute.  
Because it only uses static routes, the  suggested configuration also begs 
the question of why you need the PIX placed between possibly two different OSPF 
areas.  Shouldn't the PIX be placed closer to the network you are protecting?  


[1] Redistributing Routing 
        Protocols, http://www.cisco.com/warp/public/105/redist.html
[2] Configuring the PIX Firewall with Two Internal Networks, 
        http://www.cisco.com/warp/public/110/19b.html

-jason

On Fri, 29 Mar 2002, Burke McCrory wrote:

> I am trying to put a PIX into a network that uses OSPF between its 
> routers.  So far I haven't been able to find a way to allow the OSPF 
> updates to pass through the PIX.  Does anyone have any ideas or 
> suggestions?  Thanks.
> 
> 
> Burke McCrory
> Internet Administrator
> Oklahoma Tax Commission
> [EMAIL PROTECTED]
> 
> 
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
> 

_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls

Reply via email to