Actually, given the appropriate static and alias commands, I have been able to get all routing protocols _except_ OSPF to pass through the PIX. (i.e. RIPv1 and v2, IGRP and EIGRP and BGP) BGP is the only one the you can pass through the PIX without needing static and alias commands, but the rest will work.
In a nutshell, you make the outside interface of the PIX look like the inside router to the outside router and the inside interface of the PIX look like the outside router to the inside router. It's a little hokey, and I would recommend the BGP approach as the most preferred, but it will work. (except for OSPF) I should also note it requires the use of the 'neighbor' command in the routing process of each router as the PIX will not pass bcasts or mcasts. I haven't gotten around to really looking into why OSPF won't work, I suspect something with the ttl field but haven't confirmed. In any case, it's probably not something you need unless you have multiple paths to the outside network. Without multiple paths, I don't see a need for anything besides static routes as described by Jason. Regards, Kent -------------------------------------------------------- Just a FYI, bgp seems to be about the only protocol you can pass through a pix without some nasty GRE tunnel. --- Jason Ostrom <[EMAIL PROTECTED]> wrote: > Burke, > > What have you attempted so far in order to resolve > and on which > devices, the PIX or upstream/downstream router? > > The PIX doesn't support dynamic routing protocols > such as OSPF, only static/default routes. > To me this would seem good so the PIX is dedicated > to security (stateful inspection/packet > filtering) and then allow the router to make the > intelligent routing > decisions. > > In order to allow the OSPF updates to pass through > the PIX, you need to > configure the routers to redistribute[1] the static > routes received from > the PIX into OSPF. Concentrate on what is being > received from the PIX on the > routers, and less on the PIX configuration. > > Without more information on the network topology and > security > requirements, it's difficult to say for sure what > you need to do on the > other routers. You could do a configuration like > this [2] for two > networks to connect between the PIX, but that is for > a static route on the > routers. If you go with OSPF, then you definitely > need to redistribute. > Because it only uses static routes, the suggested > configuration also begs > the question of why you need the PIX placed between > possibly two different OSPF > areas. Shouldn't the PIX be placed closer to the > network you are protecting? > > > [1] Redistributing Routing > Protocols, > http://www.cisco.com/warp/public/105/redist.html > [2] Configuring the PIX Firewall with Two Internal > Networks, > > http://www.cisco.com/warp/public/110/19b.html > > -jason > > On Fri, 29 Mar 2002, Burke McCrory wrote: > > > I am trying to put a PIX into a network that uses > OSPF between its > > routers. So far I haven't been able to find a way > to allow the OSPF > > updates to pass through the PIX. Does anyone have > any ideas or > > suggestions? Thanks. > > > > > > Burke McCrory > > Internet Administrator > > Oklahoma Tax Commission > > [EMAIL PROTECTED] > > > > _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
