According to Cisco Documentation: "PIX Firewall does not pass multicast packets. Many routing protocols use multicast packets to transmit their data. If you need to send routing protocols across the PIX Firewall, configure the routers with the Cisco IOS software neighbor command. We consider it inherently dangerous to send routing protocols across the PIX Firewall. If the routes on the unprotected interface are corrupted, the routes transmitted to the protected side of the firewall will pollute routers there as well.
Table 1-2: Protocol Literal Values Literal Value Description ah 51 Authentication Header for IPv6, RFC 1826 eigrp 88 Enhanced Interior Gateway Routing Protocol esp 50 Encapsulated Security Payload for IPv6, RFC 1827 gre 47 General Routing Encapsulation icmp 1 Internet Control Message Protocol, RFC 792 igmp 2 Internet Group Management Protocol, RFC 1112 igrp 9 Interior Gateway Routing Protocol ip 0 Internet Protocol ipinip 4 IP-in-IP encapsulation nos 94 Network Operating System (Novell's NetWare) ospf 89 Open Shortest Path First routing protocol, RFC 1247 pcp 108 Payload Compression Protocol snp 109 Sitara Networks Protocol tcp 6 Transmission Control Protocol, RFC 793 udp 17 User Datagram Protocol, RFC 768" http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/cmd_ref /intro.htm Even Cisco agrees it is inherently a dangerous propositon to pass dynamic routing protocols through a security device. However if it is between two internal interfaces, say DMZ1 and DMZ2, then the risk can be mitigated to a degree. Although there should be a very valid reason for configuring a device as such. Using the above protocol values a Conduit or ACL can be created to allow OSPF to pass, in conjunction with the neighbor statement. Perform the configuration at your own risk, you have been warned. As I said before I would highly recommend using separate areas and distribute lists to control route advertisement between the segments. HTH. Ken Claussen MCSE CCNA CCA "In Theory it should work as you describe, but the difference between theory and reality is the truth! For this we all strive" -----Original Message----- From: bob bobing [mailto:[EMAIL PROTECTED]] Sent: Friday, March 29, 2002 4:26 PM To: [EMAIL PROTECTED] Subject: Re: PIX and OSPF updates Just a FYI, bgp seems to be about the only protocol you can pass through a pix without some nasty GRE tunnel. --- Jason Ostrom <[EMAIL PROTECTED]> wrote: > Burke, > > What have you attempted so far in order to resolve > and on which > devices, the PIX or upstream/downstream router? > > The PIX doesn't support dynamic routing protocols > such as OSPF, only static/default routes. > To me this would seem good so the PIX is dedicated > to security (stateful inspection/packet > filtering) and then allow the router to make the > intelligent routing > decisions. > > In order to allow the OSPF updates to pass through > the PIX, you need to > configure the routers to redistribute[1] the static > routes received from > the PIX into OSPF. Concentrate on what is being > received from the PIX on the > routers, and less on the PIX configuration. > > Without more information on the network topology and > security > requirements, it's difficult to say for sure what > you need to do on the > other routers. You could do a configuration like > this [2] for two > networks to connect between the PIX, but that is for > a static route on the > routers. If you go with OSPF, then you definitely > need to redistribute. > Because it only uses static routes, the suggested > configuration also begs > the question of why you need the PIX placed between > possibly two different OSPF > areas. Shouldn't the PIX be placed closer to the > network you are protecting? > > > [1] Redistributing Routing > Protocols, http://www.cisco.com/warp/public/105/redist.html > [2] Configuring the PIX Firewall with Two Internal > Networks, > > http://www.cisco.com/warp/public/110/19b.html > > -jason > > On Fri, 29 Mar 2002, Burke McCrory wrote: > > > I am trying to put a PIX into a network that uses > OSPF between its > > routers. So far I haven't been able to find a way > to allow the OSPF > > updates to pass through the PIX. Does anyone have > any ideas or > > suggestions? Thanks. > > > > > > Burke McCrory > > Internet Administrator > > Oklahoma Tax Commission > > [EMAIL PROTECTED] > > > > > > _______________________________________________ > > Firewalls mailing list > > [EMAIL PROTECTED] > > http://lists.gnac.net/mailman/listinfo/firewalls > > > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls __________________________________________________ Do You Yahoo!? Yahoo! Greetings - send holiday greetings for Easter, Passover http://greetings.yahoo.com/ _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
