Does anybody has any ideas on how to run OSPF across
firewall. What ports to be open & how to make router
esablish nighbour relations across firewall.
Any thought on this will be greatly appriciated.
Thanks,
patterson.
__
Do You Yahoo!?
Make a gre
Pat,
Getting a PIX to pass OSPF would require one of two methods: Routing or
NAT. First, the PIX isn't a router, and if it were it still wouldn't work
since OSPF LSAs are sent to the non-routable 224.0.0.5/6 addresses (as
well as have a TTL of 1). NAT is not a viable alternative as NAT will no
You 'could' pass a BGP session with a route-map to set next-hop
correctly for both sides of the session. But you still have the issue
of what routes you are advertising across any NAT.
The challenge you have is extracting value from running some dynamic
routing over a statically configured dev
ject: OSPF across PIX [7:24608]
> Does anybody has any ideas on how to run OSPF across
> firewall. What ports to be open & how to make router
> esablish nighbour relations across firewall.
>
> Any thought on this will be greatly apprici
ts.
>
> Hope you get the idea.
>
> - Original Message -
> From: "pat"
> To:
> Sent: Tuesday, October 30, 2001 1:01 PM
> Subject: OSPF across PIX [7:24608]
>
>
> > Does anybody has any ideas on how to run OSPF across
> > firewall. What por
First thought is that this will not work. imagine this and tell me what you
think.
In pix, your acl's are based on tcp/udp/icmp these all are protocols,
like ospf is it's own protocol... since ospf (protocol 89) is separate,
opening up a port dealing with tcp/udp/icmp would be completely use
hey can speak
each other directly without multicasting the hello packets.
Hope you get the idea.
- Original Message -
From: "pat"
To:
Sent: Tuesday, October 30, 2001 1:01 PM
Subject: OSPF across PIX [7:24608]
> Does anybody has any ideas on how to run OSPF across
> fir
: OSPF across PIX [7:24608]
ahhh.. I may have to investigate this... This is interesting. I didn't
realize pix had this abillity!
-Patrick
>>> "Engelhard M. Labiro" 10/30/01 12:26AM >>>
Pat,
Since OSPF uses IP protocol 89, permit this protocol between
the
e
> > access-group 102 interface outside
> >
> > At the OSPF routers, put neighbour command, so
> they can speak
> > each other directly without multicasting the hello
> packets.
> >
> > Hope you get the idea.
> >
> > - Original Message
interfaces, something like this:
> > > access-list 101 permit 89 host 1.1.1.1 host
> > 2.2.2.2
> > > access-list 102 permit 89 host 2.2.2.2 host
> > 1.1.1.1
> > > access-group 101 interface inside
> > > access-group 102 interface outside
> >
n't be done but I'm always open
to finding ways to do the impossible ;)
- Original Message -
From: "Gareth Hinton"
To:
Sent: Tuesday, October 30, 2001 6:35 PM
Subject: Re: OSPF across PIX [7:24608]
> Can you set up a network address translation both ways so that the r
Behalf Of
Allen May
Sent: Tuesday, October 30, 2001 7:15 PM
To: [EMAIL PROTECTED]
Subject: Re: OSPF across PIX [7:24608]
OK maybe...but wouldn't that be translating an IP address of the
neighboring
router to something it really isn't & botch up the OSPF table on the
remote
route
ble explanation.
If your game, try the above config and see if OSPF will work.
HTH,
Kent
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
pat
Sent: Tuesday, October 30, 2001 2:42 PM
To: [EMAIL PROTECTED]
Subject: Re: OSPF across PIX [7:24608]
Thanks fo
tatic translation on either end.
Chuck
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Allen May
Sent: Tuesday, October 30, 2001 5:15 PM
To: [EMAIL PROTECTED]
Subject: Re: OSPF across PIX [7:24608]
OK maybe...but wouldn't that be translating an IP a
ble explanation.
If your game, try the above config and see if OSPF will work.
HTH,
Kent
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
pat
Sent: Tuesday, October 30, 2001 2:42 PM
To: [EMAIL PROTECTED]
Subject: Re: OSPF across PIX [7:24608]
Thanks fo
The best way to tackle this, without a doubt, is roll a GRE tunnel. There's
tons of documentation on this.
-B
Robert LaGrasse
CCIE #5044 (R/S & ISP/Dial)
[EMAIL PROTECTED]
""Patrick Ramsey"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> First thought is that this will not work
16 matches
Mail list logo