The only "routing" protocol that is :) daoh! --- "Claussen, Ken" <[EMAIL PROTECTED]> wrote: > According to Cisco Documentation: > "PIX Firewall does not pass multicast packets. > Many routing protocols > use multicast packets to transmit their data. If you > need to send > routing protocols across the PIX Firewall, configure > the routers with > the Cisco IOS software neighbor command. We consider > it inherently > dangerous to send routing protocols across the PIX > Firewall. If the > routes on the unprotected interface are corrupted, > the routes > transmitted to the protected side of the firewall > will pollute routers > there as well. > > Table 1-2: Protocol Literal Values Literal Value > Description > ah 51 Authentication Header for IPv6, RFC 1826 > > eigrp 88 Enhanced Interior Gateway Routing Protocol > > esp 50 Encapsulated Security Payload for IPv6, RFC > 1827 > > gre 47 General Routing Encapsulation > > icmp 1 Internet Control Message Protocol, RFC 792 > > igmp 2 Internet Group Management Protocol, RFC 1112 > > igrp 9 Interior Gateway Routing Protocol > > ip 0 Internet Protocol > > ipinip 4 IP-in-IP encapsulation > > nos 94 Network Operating System (Novell's NetWare) > > ospf 89 Open Shortest Path First routing protocol, > RFC 1247 > > pcp 108 Payload Compression Protocol > > snp 109 Sitara Networks Protocol > > tcp 6 Transmission Control Protocol, RFC 793 > > udp 17 User Datagram Protocol, RFC 768" > > http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/cmd_ref > /intro.htm > > Even Cisco agrees it is inherently a dangerous > propositon to pass > dynamic routing protocols through a security device. > However if it is > between two internal interfaces, say DMZ1 and DMZ2, > then the risk can be > mitigated to a degree. Although there should be a > very valid reason for > configuring a device as such. Using the above > protocol values a Conduit > or ACL can be created to allow OSPF to pass, in > conjunction with the > neighbor statement. Perform the configuration at > your own risk, you have > been warned. As I said before I would highly > recommend using separate > areas and distribute lists to control route > advertisement between the > segments. HTH. > > Ken Claussen MCSE CCNA CCA > "In Theory it should work as you describe, but the > difference between > theory and reality is the truth! For this we all > strive" > > > > -----Original Message----- > From: bob bobing [mailto:[EMAIL PROTECTED]] > Sent: Friday, March 29, 2002 4:26 PM > To: [EMAIL PROTECTED] > Subject: Re: PIX and OSPF updates > > > Just a FYI, bgp seems to be about the only protocol > you can pass through a pix without some nasty GRE > tunnel. > > > > --- Jason Ostrom <[EMAIL PROTECTED]> wrote: > > Burke, > > > > What have you attempted so far in order to resolve > > and on which > > devices, the PIX or upstream/downstream router? > > > > The PIX doesn't support dynamic routing protocols > > such as OSPF, only static/default routes. > > To me this would seem good so the PIX is dedicated > > to security (stateful inspection/packet > > filtering) and then allow the router to make the > > intelligent routing > > decisions. > > > > In order to allow the OSPF updates to pass through > > the PIX, you need to > > configure the routers to redistribute[1] the > static > > routes received from > > the PIX into OSPF. Concentrate on what is being > > received from the PIX on the > > routers, and less on the PIX configuration. > > > > Without more information on the network topology > and > > security > > requirements, it's difficult to say for sure what > > you need to do on the > > other routers. You could do a configuration like > > this [2] for two > > networks to connect between the PIX, but that is > for > > a static route on the > > routers. If you go with OSPF, then you definitely > > need to redistribute. > > Because it only uses static routes, the suggested > > configuration also begs > > the question of why you need the PIX placed > between > > possibly two different OSPF > > areas. Shouldn't the PIX be placed closer to the > > network you are protecting? > > > > > > [1] Redistributing Routing > > Protocols, > http://www.cisco.com/warp/public/105/redist.html > > [2] Configuring the PIX Firewall with Two Internal > > Networks, > > > > http://www.cisco.com/warp/public/110/19b.html > > > > -jason > > > > On Fri, 29 Mar 2002, Burke McCrory wrote: > > > > > I am trying to put a PIX into a network that > uses > > OSPF between its > > > routers. So far I haven't been able to find a > way > > to allow the OSPF > > > updates to pass through the PIX. Does anyone > have > > any ideas or > > > suggestions? Thanks. > > > > > > > > > Burke McCrory > > > Internet Administrator > > > Oklahoma Tax Commission > > > [EMAIL PROTECTED] > > > > > > > > > _______________________________________________ > > > Firewalls mailing list > > > [EMAIL PROTECTED] > > > http://lists.gnac.net/mailman/listinfo/firewalls > > > > > > > _______________________________________________ > > Firewalls mailing list > > [EMAIL PROTECTED] > > http://lists.gnac.net/mailman/listinfo/firewalls > > > __________________________________________________ > Do You Yahoo!? > Yahoo! Greetings - send holiday greetings for > Easter, Passover > http://greetings.yahoo.com/ > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls
__________________________________________________ Do You Yahoo!? Yahoo! Greetings - send holiday greetings for Easter, Passover http://greetings.yahoo.com/ _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
