OSPF on PIX w / 6.2
Code OK 6.3 is out of the question for this example. I'm looking for solutions for 6.2 code only. Thanks in advance!
Here is the configuration:
(r1---> area 1 in) | PIX | area 1---> (fate) r2 s0/0---> - 0
AS 1 is R1, r2 is AS 2 and zone out interface s0/0 0. R1 has also zone 2 out interface s0/0. I'm looking for examples on how to run OSPF from r1 to r2 r1 being in zone 2 and r2 being in zone 0 without using a GRE tunnel. I was able to redistribute OSPF via BGP, but this would be the best/only solution... ? Any suggestion would be great.
Jeff,
In the solution, I've implemented BGP passed the single protocol for routing through the firewall. Initially, I tried to put the PIX up to allow traffic through thinking I could use the neighboring OSPF for routers could see each other. The operation failed because this feature also uses multicast traffic, which falls the PIX.
So ultimately I redistributed BGP OSPF, routing through the firewall in the tunnel information and redistributed into OSPF.
I didn't try to use a virtual link, but as OSPF relies heavily on multicast traffic I don't know that such a link also fails.
Virtual links are often described as 'tunnels' but which is intended to promote the understanding of the concept, they operate only at breast contiguous OSPF networks.
6.3 sounding attractive yet?
Tags: Cisco Security
Similar Questions
-
Passive routes with OSPF on the PIX
Hello
Having just upgraded my PIX to software v8 finally hoping to participate in OSPF on the network.
The PIX have all many DMZ I want to advertise on OSPF to remove a * much * of fragile static routes but of course I would * not * advertise or get OSPF of these demilitarized. I thought I could do these interfaces passive - or better still, question:
router ospf 1
passive-interface defaultAnd then exempt only the internal interface.
However, (unlike IOS) it seems to be without notion of passive in the implementation of OSPF from the PIX - a place where I thought it would be very useful...
How to distribute the these DMZ on OSPF without advertising OSPF in them?
I had planned to use:
redistributed connected subnets
However, which redistributes things like the public interface of the Internet, I don't want to. In addition, even if there is a way to stop there including the public interface, it seems more prone to the error of the user than passive by default with one exception.
Any ideas? If this is not the case, can I restrict the interfaces in connected subnets redrawn?
Thanks for all the ideas!
Hi Peter,.
Thank you, Yes... I was suggesting to remove network dmz under the OSPF process commands. As you said, it used to really do what you want to do with the removal of the static since its disabling ospf for this network.
Start-up eigrp would seem to be a lot of extra work just to eliminate the static if that's what it will be used for, but it would allow you to make the passive interface that would not accomplish snd/RRs eigrp on the specific interface.
I just re-read your first message and I think I understand now what you're after - which goes back to your first survey of redistribution... you can redistribute static electricity and use a road map to control what roads you want to redistribute. You can then remove the networks for the demilitarized zone under router ospf process.
example:
access-list ospfredist standard permit 10.10.10.0 255.255.255.0
access-list ospfredist standard permit 192.168.10.0 255.255.255.0route-map static-ospf
match ip address ospfredistrouter ospf 10
redistribute static subnets route-map static-ospfthis should redistribute only the statics that you listed above.
hope this helps a bit.
-scott
-
Anyone used PIX 525 with routing OSPF? How it works, which means is it reliable? All the problems?
SP
Thank you
This feature is now reliable enough. We had met bug initially, but they have been constantly improved.
Thank you
Nadeem
-
PIX OSPF question load balancing
I have a pix 515e with two default routes, via OSPF from two routers on the "outside" interface
Route #2 is currently being preferred spending much more than the #1 router. There are thousands of destinations for traffic. These two routers are still NAT nat rfc1918 IP Internet (the pix doesn't nat)
Can you get it someone please let me know how the PIX is load balancing? is it by destination IP address? is it something else?
Thank you
Joe
TAC:
"the PIX will be per destination load balancing instead of by package
load balancing. The algorithm will look at the source and destination
addresses. It is not 1:1 load balancing. Given quite different
the source address and destination, the packets will reach more or less one
spindle of 50-50 between the two next-hops. However, in the real world test
with the same source and destination addresses, it may not reach the same
load balancing. »
-
PIX / ASA - OSPF load balancing
Hello
I read the balance a route via OSPF equal cost load the PIX. It will send packages via per package, or is there another method for distibuting the traffic to the break following equal cost?
Thank you!!
Lee
Hello Lawrence,.
PIX 6.3 now supports the NLB using OSPF only (up to 3 default routes)
The PIX can receive up to 3 doors by default (all the same metric) 3 different routes of entry, and
balance the load on a per destination basis. Currently, there is no way the PIX to
determine which carries a package will be sent to. You cannot currently use static routes
for load balancing.
The used hash algorithm is not simple, it is very difficult to determine which
Route (next hop) a package will be given an IP Source and Destination pair. Basically,.
the PIX takes the source and destination IPs (two 32-bit numbers) and axe in one
16-bit unique number. Then the number of 16-bit (0x0000 - 0xFFFF) is divided into thirds.
The first 1/3 goes to the door of entry 1, the next 1/3 goes to the door of entry 2, and the last 1/3 goes to
Gateway 3.
I hope this helps! If Yes, please rate.
Thank you
-
How Pix manages the rare IP protocol packets
Does anyone know of a document explaining how the Pix handles, regarding the State, rare IP protocol packages such as ESP, AH, OSPF, GRE, etc. ? I'm concred with traffic flowing through the pix is not intended.
I understand how TCP, UDP, and ICMP packets are handled, but I can't find anything on all others.
Thank you.
In General, the Pix must inspect any protocol passes through it accepts for TCP and UDP. The exception is a protocol which is managed by a '' correction '' like PPTP which has a correction to allow GRE (Protocol 47) traffic that results.
If you want a different protocol than UDP/TCP to be allowed to get THROUGH, you almost create an ACL entry for her.
The other exception is the traffic to the Pix itself as host. ACL have absolutely no effect on the traffic to the Pix as the host. For example, the packets OSPF intended for the Pix when running OSPF. Or packages ESP for the Pix for a VPN tunnel, it stops. Or ICMP traffic to the Pix itself (controlled using the command [icmp]). ACL don't apply to transit traffic.
-
Hello!
Is it possible to configure routing based on politics in a PIX?
concerning
Hello
Not for the moment in any case. With the incarnation of the Protocol OSPF on the PIX, a lot of the command syntax is currently in place for this support, but still need us the code to work with it. It's something that we have however. So, if you are insterested in this, I encourage you to talk with the local team of account Cisco having this feature added to the code of PIX to come. Sorry I can't be more helpful.
Scott
-
in pix 6.3 ios routing protocols (3)
6.3 (3) support also TEAR apart from ospf, otherwise how is among the warnings is RIPv2 mcast updates are sent through an interface that does not have any rip has helped this topic.
Hello
PIX 6.3 code supports the two RIP (v1 and v2) and OSPF. The disadvantage is that you cannot configure the RIP and OSPF on the same PIX. You must choose the one that you want to use. I hope this helps.
Scott
-
Hello
My problem is with RIP on a PIX, we are unable to advertise off-grid inside, but it's possible with ospf.
What protocol is properly implemented OS PIX? If both, which next version supports RIP for work as OSPF?
I thank in advance
Concerning
Olivier
Olivier,
As you saw, RIP and OSPF on the PIX are implemented very differently. RIP is limited to a passive listening on an interface or by sending a default route (0.0.0.0) on the RIP network. So, to answer your question RIP is not designed to work like OSPF by advertising networks wach side of the PIX. They are properly implemented (by design) and I highly doubt that the implementation of RIP will never change to work as OSPF only. I hope this helps.
Scott
-
Allowing ICMP and Telnet via a PIX 525
We are trying to build a new block of distribution to our backbone WAN. We are experiencing a problem when establishing ICMP and Telnet via the PIX. The following is known:
1 Ping and telnet to the 6509 and internal network works very well for the PIX.
2 Ping the 7206 for the PIX works just fine.
3 debug normal to see activity track ICMP for connections ICMP for the PIX of the network 6509 and internal; However, the debug shows nothing - no activity - during attempts to ping at a.b.5.18. (see below).
In short, all connections seem to be fine between the three devices, however, we can get ICMP and Telnet work correctly through the PIX.
The layout is:
6509 (MSFC) - PIX 525-7206
IP:a.b.5.1 - a.b.5.2 a.b.5.17 - a.b.5.18
255.255.255.0 255.255.255.240 255.255.255.240
(both)
networks: a.b.5.0 a.b.5.16
255.255.255.240 255.255.255.240
6509:
interface VlanX
Description newwan-bb
IP address a.b.5.1 255.255.255.0
no ip redirection
router ospf
Log-adjacency-changes
redistribute static subnets metric 50 metric-type 1
passive-interface default
no passive-interface Vlan9
((other networks omitted))
network a.b.5.0 0.0.0.255 area 0
default information are created
PIX 525:
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
nameif ethernet2 security10 failover
hostname XXXXXX
domain XXX.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol 2000 skinny
names of
access ip-list 102 permit a whole
access-list 102 permit icmp any one
access-list 102 permit icmp any any echo
access-list 102 permit icmp any any echo response
access-list 102 permit icmp any any source-quench
access-list 102 permit everything all unreachable icmp
access-list 102 permit icmp any one time exceed
103 ip access list allow a whole
access-list 103 allow icmp a whole
access-list 103 permit icmp any any echo
access-list 103 permit icmp any any echo response
access-list 103 permit icmp any any source-quench
access-list 103 allow all unreachable icmp
access-list 103 allow icmp all once exceed
pager lines 24
opening of session
timestamp of the record
logging buffered stored notifications
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
Outside 1500 MTU
Within 1500 MTU
failover of MTU 1500
IP address outside a.b.5.17 255.255.255.240
IP address inside a.b.5.2 255.255.255.240
failover from IP 192.168.230.1 255.255.255.252
alarm action IP verification of information
alarm action attack IP audit
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
Access-group 103 in external interface
Route outside 0.0.0.0 0.0.0.0 a.b.5.18 1
Route inside a.0.0.0 255.0.0.0 a.b.5.1 1
Inside a.b.0.0 255.240.0.0 route a.b.5.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
No sysopt route dnat
Telnet a.0.0.0 255.0.0.0 outdoors
Telnet a.0.0.0 255.0.0.0 inside
Telnet a.b.0.0 255.240.0.0 inside
Telnet a.b.5.18 255.255.255.255 inside
Telnet timeout 5
SSH timeout 5
Terminal width 80
Recognizing any help on proper routing through a PIX 525, given that all this is for a network internal.
on the 6509, why the int has a 24 subnet mask, when everything has a 28? If you try the 6500 ping.18, he thinks that it is on a local network, and there no need to route through the pix
Your access lists are confusing.
access-list # ip allowed any one should let through, and so everything that follows are redundant statements.
for the test,.
alloweverything ip access list allow a whole
Access-group alloweverything in interface outside
should the pix act as a router - you are effectively disabling all firewall features.
-
BONES of PIX v6.3: Load Balancing Configuration
Using the new feature of balancing by OSPF, is it possible to create a parallel table of the PIX to simulate a "dynamic load balancing environment"? Please explain why or not.
If the answer is no, then, is it possible to create an environment of load balancing 'static '? How would this work? advantages and disadvantages?
Kind regards.
Fix... You need something in front of and behind the Pix to ensure that a session is maintained through the same Pix. This can also be done by NAT.
-
PIX IPSec tunnel - IOS, routing Options
Hello
I have an IPSec Tunnel between a PIX firewall and a router Cisco 1721.
Have I not all options about any routing protocol can I use?
Are there plans to add GRE support to PIX, so that EIGRP, OSPF can be used?
------Naman
Here's a URL that tells how to configure GRE over IPSEC with OSPF. http://www.Cisco.com/warp/public/707/gre_ipsec_ospf.html
-
Routing based on the source in PIX
Hello
I am trying to find a way to make a routing based on the PIX source to get the same functionality of the 'road-map' command in Cisco routers; is there an equivalent command for this PIX 7.x version? I remember that it was not available in previous versions and I couldn't discover version 7.x, also, but I wanted to confirm with you double.
Thanking in advance.
Kind regards
Haitham
Haitham,
Your interpretation is correct, Policy Based Routing is not supported on the Pix Firewall.
Also, don't you confused when you see the command option 'road-map' Pix 6.3 and higher. This command is applicable only when redistributing routes into OSPF.
6.3 Pix command reference:
http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_sw/v_63/cmdref/Mr.htm#wp1017196
Command reference 7.2 pix
http://www.Cisco.com/univercd/CC/TD/doc/product/multisec/asa_sw/v_7_2/cmd_ref/qr_711.htm#wp1648744
Let me know if it helps.
Kind regards
Arul
-
I need help quick-PIX 515e worm. 6.3 (5)
I'm new to this Cisco product and I'm in a jam. I got to get this product operational tomorrow morning.
(Problem :) I've got communications running inside the firewall, and with an access list I can ping the outside world with success; However, if on the inside, behind the firewall, I can't see anything through a web browser. It's as if the traffic does not go through. Please help, what should I do?
Here's a copy of the current configuration:
6.3 (5) PIX version
interface ethernet0 car
Auto interface ethernet1
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
enable password xxxx
passwd xxxx
pixfirewall hostname
domain ciscopix.com
clock timezone IS - 5
clock to summer time EDT recurring
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
object-group service Internet tcp - udp
Description of the group for Internet access
port-object eq echo
port-object eq www
area of port-object eq
interface icmp permit access-list inside_access_in inside the interface outside response to echo
interface icmp permit access-list inside_access_in inside the interface outside time limit
inside_access_in list of permitted access interface icmp inside the outside interface is inaccessible
inside_access_in tcp allowed access list any object-group Internet any newspaper Internet-Group of objects
inside_access_in tcp allowed access list any Internet host 208.50.85.161 object-group newspaper Internet object-group
pager lines 24
ICMP allow any inside
Outside 1500 MTU
Within 1500 MTU
IP address outside the 208.x.x.x.255.255.224
IP address inside 192.168.1.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
no failover
failover timeout 0:00:00
failover poll 15
No IP failover outdoors
No IP failover inside
208.50.x.x.x.255.255 PDM location outdoors
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global (outside) 10 192.168.1.3 - 192.168.1.254 netmask 255.255.255.0
Global (inside) 1 192.168.1.3 - 192.168.1.254
NAT (inside) 0-list of access inside_outbound_nat0_acl
NAT (inside) 10 0.0.0.0 0.0.0.0 0 0
inside_access_in access to the interface inside group
routing to the outside interface
OSPF authentication null
routing inside interface
OSPF authentication null
Route outside 0.0.0.0 0.0.0.0 208.50.85.161 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-server local LOCAL Protocol
disable proxy-limit AAA
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp Server contact
SNMP-server community
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
No.-xauth No.-config-mode
part of pre authentication ISAKMP policy 20
encryption of ISAKMP policy 20
ISAKMP policy 20 md5 hash
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd address 192.168.1.2 - 192.168.1.254 inside
dhcpd dns 206.165.6.11 209.130.136.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd outside auto_config
dhcpd allow inside
Terminal width 80
Cryptochecksum:xxxx
: end
inside_access_in ip access list allow a whole
That's my guess.
Im a gui guy, never use the cli. Good luck
-
VPN IPSec L2L between IOS and PIX 6.3 - MTU issue?
The side of the remote control (customer) is behind the 6.3 (5) PIX. And the side of the head end (server) is 2911 IOS on 15.0.
The IPSec tunnel rises very well and passes traffic. However, there is a server which are not fully accessible. Note, it is mainly the web traffic.
Client initiates a connection to the http://server:8000. They receive a redirect to go to http://server:8000 / somepage.jspa. Package caps show the customer acknowledges the redirect with a SYN - ACK response, but then the connection just hangs. And no other packets are received in return. I noticed that the redirected page is a .jsp and other pages that work OK are not. I also noticed that some MTU and TCP MSS configurations on the side of the head that are in place for another GRE VPN tunnel with another site. So I got in the way of the fragmentation of packets. The side PIX has all the standard configurations of IPSec as well as default MTU on the interface of the inside and outside.
When the MTU is set manually on the client computer to 1400, the access to the works of http://server:8000 / somepage.jspa very well. So I need to tweak the settings of PIX. I tried to adjust the MTU size on and abroad the interface as well as the parameter "sysopt connection tcp - mss. I don't know what else to do here.
Here is a summary of the MTU settings on the head of line:
End of the head:
int tunnel0 (it's the GRE tunnel)
IP mtu 1420
source of tunnel G0/0
dest X.X.X.X
tunnel path-mtu-discovery
card crypto vpn 1
tunnel GRE Description
blah blah blah
card crypto vpn 2
Description IPSec tunnel
blah blah blah
int g0/0 (external interface)
no ip redirection
no ip unreachable
no ip proxy-arp
Check IP unicast reverse
NAT outside IP
IP virtual-reassembly
vpn crypto card
int g0/1 (this is the interface to the server in question)
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1452
HA, sorry my bad. Read the previous post wrong.
(Note: Yes, the SMS on the tunnel interface should be 40 bytes less than MTU).
Do not twist the MTU, not for TCP problems (not as the first step), it is safer to play with the MSS. MTU may depend on other things (OSPF for example).
Make a sweep of a ping with DF bit set with the size (from 1300 bytes for example). By doing this, you want to check what is the maximum size of the package, which you can test through the IPsec tunnel. Once you have this value consider - subtract 40 and this defined as value MSS of the LAN interface (and adjust the value of PIX if you can).
M.
Maybe you are looking for
-
Cannot delete the sparsebundle apparently empty
I have an old Sparsebundle flying over form a defunct Time Machine (created by OSX 10.10.5 on a mounted AFP network drive. Not a Time Capsule from Apple). I AM able to mount AFP player and cd in the sparsebundle... However, I can't get the sparsebund
-
What are the possible problems during the update of the BIOS?
Hello everyone, I'm having a problem with my old Toshiba battery - "plugged in, does not support".The research on the internet I discovered that the BIOS update might solve the problem. On the other hand the BIOS update procedure can itself cause som
-
2000-2d09WM HP: hard drive
Computer starts fine, but after a few minutes it freezes and wont do anything, until you restart, then it does the same thing again. Ran diagnostic test. Drive hard smart check spent / Hard drive dst short verification failed. Failure ID: PG8EXF-6SD7
-
I have a Canon Rebel XT with a Canon EF - 5 18-55mm lens, and I need help on how to configure the camera for taking quality photos of small objects for resale on the internet. I have a light box and 2 lights tungston, but I'm having a hard time gett
-
Hello I keep having this message arrived on my computer when it starts: Error loading c:\users\steve&jenny3\Appdata\roaming\pdiner.dll I also can't add new software or windows updates. I checked the error code 80246008 and followed the steps but the