Just a FYI, bgp seems to be about the only protocol
you can pass through a pix without some nasty GRE
tunnel.



--- Jason Ostrom <[EMAIL PROTECTED]> wrote:
> Burke,
> 
> What have you attempted so far in order to resolve
> and on which 
> devices, the PIX or upstream/downstream router?
> 
> The PIX doesn't support dynamic routing protocols
> such as OSPF, only static/default routes.  
> To me this would seem good so the PIX is dedicated
> to security (stateful inspection/packet 
> filtering) and then allow the router to make the
> intelligent routing 
> decisions.
> 
> In order to allow the OSPF updates to pass through
> the PIX, you need to 
> configure the routers to redistribute[1] the static
> routes received from 
> the PIX into OSPF.  Concentrate on what is being
> received from the PIX on the 
> routers, and less on the PIX configuration.  
> 
> Without more information on the network topology and
> security 
> requirements, it's difficult to say for sure what
> you need to do on the 
> other routers.  You could do a configuration like
> this [2] for two 
> networks to connect between the PIX, but that is for
> a static route on the 
> routers.  If you go with OSPF, then you definitely
> need to redistribute.  
> Because it only uses static routes, the  suggested
> configuration also begs 
> the question of why you need the PIX placed between
> possibly two different OSPF 
> areas.  Shouldn't the PIX be placed closer to the
> network you are protecting?  
> 
> 
> [1] Redistributing Routing 
>         Protocols,
> http://www.cisco.com/warp/public/105/redist.html
> [2] Configuring the PIX Firewall with Two Internal
> Networks, 
>        
> http://www.cisco.com/warp/public/110/19b.html
> 
> -jason
> 
> On Fri, 29 Mar 2002, Burke McCrory wrote:
> 
> > I am trying to put a PIX into a network that uses
> OSPF between its 
> > routers.  So far I haven't been able to find a way
> to allow the OSPF 
> > updates to pass through the PIX.  Does anyone have
> any ideas or 
> > suggestions?  Thanks.
> > 
> > 
> > Burke McCrory
> > Internet Administrator
> > Oklahoma Tax Commission
> > [EMAIL PROTECTED]
> > 
> > 
> > _______________________________________________
> > Firewalls mailing list
> > [EMAIL PROTECTED]
> > http://lists.gnac.net/mailman/listinfo/firewalls
> > 
> 
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls


__________________________________________________
Do You Yahoo!?
Yahoo! Greetings - send holiday greetings for Easter, Passover
http://greetings.yahoo.com/
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls

Reply via email to