OSPF on PIX w / 6.2

Code OK 6.3 is out of the question for this example. I'm looking for solutions for 6.2 code only. Thanks in advance!

Here is the configuration:

(r1---> area 1 in) | PIX | area 1---> (fate) r2 s0/0---> - 0

AS 1 is R1, r2 is AS 2 and zone out interface s0/0 0. R1 has also zone 2 out interface s0/0. I'm looking for examples on how to run OSPF from r1 to r2 r1 being in zone 2 and r2 being in zone 0 without using a GRE tunnel. I was able to redistribute OSPF via BGP, but this would be the best/only solution... ? Any suggestion would be great.

Jeff,

In the solution, I've implemented BGP passed the single protocol for routing through the firewall. Initially, I tried to put the PIX up to allow traffic through thinking I could use the neighboring OSPF for routers could see each other. The operation failed because this feature also uses multicast traffic, which falls the PIX.

So ultimately I redistributed BGP OSPF, routing through the firewall in the tunnel information and redistributed into OSPF.

I didn't try to use a virtual link, but as OSPF relies heavily on multicast traffic I don't know that such a link also fails.

Virtual links are often described as 'tunnels' but which is intended to promote the understanding of the concept, they operate only at breast contiguous OSPF networks.

6.3 sounding attractive yet?

Tags: Cisco Security

Similar Questions

Passive routes with OSPF on the PIX

Hello

Having just upgraded my PIX to software v8 finally hoping to participate in OSPF on the network.

The PIX have all many DMZ I want to advertise on OSPF to remove a * much * of fragile static routes but of course I would * not * advertise or get OSPF of these demilitarized. I thought I could do these interfaces passive - or better still, question:

router ospf 1
passive-interface default

And then exempt only the internal interface.

However, (unlike IOS) it seems to be without notion of passive in the implementation of OSPF from the PIX - a place where I thought it would be very useful...

How to distribute the these DMZ on OSPF without advertising OSPF in them?

I had planned to use:

redistributed connected subnets

However, which redistributes things like the public interface of the Internet, I don't want to. In addition, even if there is a way to stop there including the public interface, it seems more prone to the error of the user than passive by default with one exception.

Any ideas? If this is not the case, can I restrict the interfaces in connected subnets redrawn?

Thanks for all the ideas!

Hi Peter,.

Thank you, Yes... I was suggesting to remove network dmz under the OSPF process commands. As you said, it used to really do what you want to do with the removal of the static since its disabling ospf for this network.

Start-up eigrp would seem to be a lot of extra work just to eliminate the static if that's what it will be used for, but it would allow you to make the passive interface that would not accomplish snd/RRs eigrp on the specific interface.

I just re-read your first message and I think I understand now what you're after - which goes back to your first survey of redistribution... you can redistribute static electricity and use a road map to control what roads you want to redistribute. You can then remove the networks for the demilitarized zone under router ospf process.

example:
```
access-list ospfredist standard permit 10.10.10.0 255.255.255.0

access-list ospfredist standard permit 192.168.10.0 255.255.255.0
route-map static-ospf

  match ip address ospfredist
router ospf 10

  redistribute static subnets route-map static-ospf
this should redistribute only the statics that you listed above.
hope this helps a bit.
-scott
```

PIX 525 with OSPF

Anyone used PIX 525 with routing OSPF? How it works, which means is it reliable? All the problems?

SP

Thank you

This feature is now reliable enough. We had met bug initially, but they have been constantly improved.

Thank you

Nadeem

PIX OSPF question load balancing

I have a pix 515e with two default routes, via OSPF from two routers on the "outside" interface

Route #2 is currently being preferred spending much more than the #1 router. There are thousands of destinations for traffic. These two routers are still NAT nat rfc1918 IP Internet (the pix doesn't nat)

Can you get it someone please let me know how the PIX is load balancing? is it by destination IP address? is it something else?

Thank you

Joe

TAC:

"the PIX will be per destination load balancing instead of by package

load balancing. The algorithm will look at the source and destination

addresses. It is not 1:1 load balancing. Given quite different

the source address and destination, the packets will reach more or less one

spindle of 50-50 between the two next-hops. However, in the real world test

with the same source and destination addresses, it may not reach the same

load balancing. »

PIX / ASA - OSPF load balancing

Hello

I read the balance a route via OSPF equal cost load the PIX. It will send packages via per package, or is there another method for distibuting the traffic to the break following equal cost?

Thank you!!

Lee

Hello Lawrence,.

PIX 6.3 now supports the NLB using OSPF only (up to 3 default routes)

The PIX can receive up to 3 doors by default (all the same metric) 3 different routes of entry, and

balance the load on a per destination basis. Currently, there is no way the PIX to

determine which carries a package will be sent to. You cannot currently use static routes

for load balancing.

The used hash algorithm is not simple, it is very difficult to determine which

Route (next hop) a package will be given an IP Source and Destination pair. Basically,.

the PIX takes the source and destination IPs (two 32-bit numbers) and axe in one

16-bit unique number. Then the number of 16-bit (0x0000 - 0xFFFF) is divided into thirds.

The first 1/3 goes to the door of entry 1, the next 1/3 goes to the door of entry 2, and the last 1/3 goes to

Gateway 3.

I hope this helps! If Yes, please rate.

Thank you

How Pix manages the rare IP protocol packets

Does anyone know of a document explaining how the Pix handles, regarding the State, rare IP protocol packages such as ESP, AH, OSPF, GRE, etc. ? I'm concred with traffic flowing through the pix is not intended.

I understand how TCP, UDP, and ICMP packets are handled, but I can't find anything on all others.

Thank you.

In General, the Pix must inspect any protocol passes through it accepts for TCP and UDP. The exception is a protocol which is managed by a '' correction '' like PPTP which has a correction to allow GRE (Protocol 47) traffic that results.

If you want a different protocol than UDP/TCP to be allowed to get THROUGH, you almost create an ACL entry for her.

The other exception is the traffic to the Pix itself as host. ACL have absolutely no effect on the traffic to the Pix as the host. For example, the packets OSPF intended for the Pix when running OSPF. Or packages ESP for the Pix for a VPN tunnel, it stops. Or ICMP traffic to the Pix itself (controlled using the command [icmp]). ACL don't apply to transit traffic.

PIX with ACB?

Hello!

Is it possible to configure routing based on politics in a PIX?

concerning

Hello

Not for the moment in any case. With the incarnation of the Protocol OSPF on the PIX, a lot of the command syntax is currently in place for this support, but still need us the code to work with it. It's something that we have however. So, if you are insterested in this, I encourage you to talk with the local team of account Cisco having this feature added to the code of PIX to come. Sorry I can't be more helpful.

Scott

in pix 6.3 ios routing protocols (3)

6.3 (3) support also TEAR apart from ospf, otherwise how is among the warnings is RIPv2 mcast updates are sent through an interface that does not have any rip has helped this topic.

Hello

PIX 6.3 code supports the two RIP (v1 and v2) and OSPF. The disadvantage is that you cannot configure the RIP and OSPF on the same PIX. You must choose the one that you want to use. I hope this helps.

Scott

PIX and RIP:

Hello

My problem is with RIP on a PIX, we are unable to advertise off-grid inside, but it's possible with ospf.

What protocol is properly implemented OS PIX? If both, which next version supports RIP for work as OSPF?

I thank in advance

Concerning

Olivier

Olivier,

As you saw, RIP and OSPF on the PIX are implemented very differently. RIP is limited to a passive listening on an interface or by sending a default route (0.0.0.0) on the RIP network. So, to answer your question RIP is not designed to work like OSPF by advertising networks wach side of the PIX. They are properly implemented (by design) and I highly doubt that the implementation of RIP will never change to work as OSPF only. I hope this helps.

Scott

Allowing ICMP and Telnet via a PIX 525

We are trying to build a new block of distribution to our backbone WAN. We are experiencing a problem when establishing ICMP and Telnet via the PIX. The following is known:

1 Ping and telnet to the 6509 and internal network works very well for the PIX.

2 Ping the 7206 for the PIX works just fine.

3 debug normal to see activity track ICMP for connections ICMP for the PIX of the network 6509 and internal; However, the debug shows nothing - no activity - during attempts to ping at a.b.5.18. (see below).

In short, all connections seem to be fine between the three devices, however, we can get ICMP and Telnet work correctly through the PIX.

The layout is:

6509 (MSFC) - PIX 525-7206

IP:a.b.5.1 - a.b.5.2 a.b.5.17 - a.b.5.18

255.255.255.0 255.255.255.240 255.255.255.240

(both)

networks: a.b.5.0 a.b.5.16

255.255.255.240 255.255.255.240

6509:

interface VlanX

Description newwan-bb

IP address a.b.5.1 255.255.255.0

no ip redirection

router ospf

Log-adjacency-changes

redistribute static subnets metric 50 metric-type 1

passive-interface default

no passive-interface Vlan9

((other networks omitted))

network a.b.5.0 0.0.0.255 area 0

default information are created

PIX 525:

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

nameif ethernet2 security10 failover

hostname XXXXXX

domain XXX.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol 2000 skinny

names of

access ip-list 102 permit a whole

access-list 102 permit icmp any one

access-list 102 permit icmp any any echo

access-list 102 permit icmp any any echo response

access-list 102 permit icmp any any source-quench

access-list 102 permit everything all unreachable icmp

access-list 102 permit icmp any one time exceed

103 ip access list allow a whole

access-list 103 allow icmp a whole

access-list 103 permit icmp any any echo

access-list 103 permit icmp any any echo response

access-list 103 permit icmp any any source-quench

access-list 103 allow all unreachable icmp

access-list 103 allow icmp all once exceed

pager lines 24

opening of session

timestamp of the record

logging buffered stored notifications

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

Outside 1500 MTU

Within 1500 MTU

failover of MTU 1500

IP address outside a.b.5.17 255.255.255.240

IP address inside a.b.5.2 255.255.255.240

failover from IP 192.168.230.1 255.255.255.252

alarm action IP verification of information

alarm action attack IP audit

history of PDM activate

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

Access-group 103 in external interface

Route outside 0.0.0.0 0.0.0.0 a.b.5.18 1

Route inside a.0.0.0 255.0.0.0 a.b.5.1 1

Inside a.b.0.0 255.240.0.0 route a.b.5.1 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

RADIUS Protocol RADIUS AAA server

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

enable floodguard

No sysopt route dnat

Telnet a.0.0.0 255.0.0.0 outdoors

Telnet a.0.0.0 255.0.0.0 inside

Telnet a.b.0.0 255.240.0.0 inside

Telnet a.b.5.18 255.255.255.255 inside

Telnet timeout 5

SSH timeout 5

Terminal width 80

Recognizing any help on proper routing through a PIX 525, given that all this is for a network internal.

on the 6509, why the int has a 24 subnet mask, when everything has a 28? If you try the 6500 ping.18, he thinks that it is on a local network, and there no need to route through the pix

Your access lists are confusing.

access-list # ip allowed any one should let through, and so everything that follows are redundant statements.

for the test,.

alloweverything ip access list allow a whole

Access-group alloweverything in interface outside

should the pix act as a router - you are effectively disabling all firewall features.

BONES of PIX v6.3: Load Balancing Configuration

Using the new feature of balancing by OSPF, is it possible to create a parallel table of the PIX to simulate a "dynamic load balancing environment"? Please explain why or not.

If the answer is no, then, is it possible to create an environment of load balancing 'static '? How would this work? advantages and disadvantages?

Kind regards.

Fix... You need something in front of and behind the Pix to ensure that a session is maintained through the same Pix. This can also be done by NAT.

PIX IPSec tunnel - IOS, routing Options

Hello

I have an IPSec Tunnel between a PIX firewall and a router Cisco 1721.

Have I not all options about any routing protocol can I use?

Are there plans to add GRE support to PIX, so that EIGRP, OSPF can be used?

------Naman

Here's a URL that tells how to configure GRE over IPSEC with OSPF. http://www.Cisco.com/warp/public/707/gre_ipsec_ospf.html

Routing based on the source in PIX

Hello

I am trying to find a way to make a routing based on the PIX source to get the same functionality of the 'road-map' command in Cisco routers; is there an equivalent command for this PIX 7.x version? I remember that it was not available in previous versions and I couldn't discover version 7.x, also, but I wanted to confirm with you double.

Thanking in advance.

Kind regards

Haitham

Haitham,

Your interpretation is correct, Policy Based Routing is not supported on the Pix Firewall.

Also, don't you confused when you see the command option 'road-map' Pix 6.3 and higher. This command is applicable only when redistributing routes into OSPF.

6.3 Pix command reference:

http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_sw/v_63/cmdref/Mr.htm#wp1017196

Command reference 7.2 pix

http://www.Cisco.com/univercd/CC/TD/doc/product/multisec/asa_sw/v_7_2/cmd_ref/qr_711.htm#wp1648744

Let me know if it helps.

Kind regards

Arul

I need help quick-PIX 515e worm. 6.3 (5)

I'm new to this Cisco product and I'm in a jam. I got to get this product operational tomorrow morning.

(Problem :) I've got communications running inside the firewall, and with an access list I can ping the outside world with success; However, if on the inside, behind the firewall, I can't see anything through a web browser. It's as if the traffic does not go through. Please help, what should I do?

Here's a copy of the current configuration:

6.3 (5) PIX version

interface ethernet0 car

Auto interface ethernet1

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

enable password xxxx

passwd xxxx

pixfirewall hostname

domain ciscopix.com

clock timezone IS - 5

clock to summer time EDT recurring

fixup protocol dns-length maximum 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol 2000 skinny

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

object-group service Internet tcp - udp

Description of the group for Internet access

port-object eq echo

port-object eq www

area of port-object eq

interface icmp permit access-list inside_access_in inside the interface outside response to echo

interface icmp permit access-list inside_access_in inside the interface outside time limit

inside_access_in list of permitted access interface icmp inside the outside interface is inaccessible

inside_access_in tcp allowed access list any object-group Internet any newspaper Internet-Group of objects

inside_access_in tcp allowed access list any Internet host 208.50.85.161 object-group newspaper Internet object-group

pager lines 24

ICMP allow any inside

Outside 1500 MTU

Within 1500 MTU

IP address outside the 208.x.x.x.255.255.224

IP address inside 192.168.1.1 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

no failover

failover timeout 0:00:00

failover poll 15

No IP failover outdoors

No IP failover inside

208.50.x.x.x.255.255 PDM location outdoors

PDM logging 100 information

history of PDM activate

ARP timeout 14400

Global (outside) 10 192.168.1.3 - 192.168.1.254 netmask 255.255.255.0

Global (inside) 1 192.168.1.3 - 192.168.1.254

NAT (inside) 0-list of access inside_outbound_nat0_acl

NAT (inside) 10 0.0.0.0 0.0.0.0 0 0

inside_access_in access to the interface inside group

routing to the outside interface

OSPF authentication null

routing inside interface

OSPF authentication null

Route outside 0.0.0.0 0.0.0.0 208.50.85.161 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

AAA-server GANYMEDE + 3 max-failed-attempts

AAA-server GANYMEDE + deadtime 10

RADIUS Protocol RADIUS AAA server

AAA-server RADIUS 3 max-failed-attempts

AAA-RADIUS deadtime 10 Server

AAA-server local LOCAL Protocol

disable proxy-limit AAA

Enable http server

http 192.168.1.0 255.255.255.0 inside

No snmp Server contact

SNMP-server community

No trap to activate snmp Server

enable floodguard

Permitted connection ipsec sysopt

No.-xauth No.-config-mode

part of pre authentication ISAKMP policy 20

encryption of ISAKMP policy 20

ISAKMP policy 20 md5 hash

20 2 ISAKMP policy group

ISAKMP duration strategy of life 20 86400

Telnet timeout 5

SSH timeout 5

Console timeout 0

dhcpd address 192.168.1.2 - 192.168.1.254 inside

dhcpd dns 206.165.6.11 209.130.136.2

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd outside auto_config

dhcpd allow inside

Terminal width 80

Cryptochecksum:xxxx

: end

inside_access_in ip access list allow a whole

That's my guess.

Im a gui guy, never use the cli. Good luck

VPN IPSec L2L between IOS and PIX 6.3 - MTU issue?

The side of the remote control (customer) is behind the 6.3 (5) PIX. And the side of the head end (server) is 2911 IOS on 15.0.

The IPSec tunnel rises very well and passes traffic. However, there is a server which are not fully accessible. Note, it is mainly the web traffic.

Client initiates a connection to the http://server:8000. They receive a redirect to go to http://server:8000 / somepage.jspa. Package caps show the customer acknowledges the redirect with a SYN - ACK response, but then the connection just hangs. And no other packets are received in return. I noticed that the redirected page is a .jsp and other pages that work OK are not. I also noticed that some MTU and TCP MSS configurations on the side of the head that are in place for another GRE VPN tunnel with another site. So I got in the way of the fragmentation of packets. The side PIX has all the standard configurations of IPSec as well as default MTU on the interface of the inside and outside.

When the MTU is set manually on the client computer to 1400, the access to the works of http://server:8000 / somepage.jspa very well. So I need to tweak the settings of PIX. I tried to adjust the MTU size on and abroad the interface as well as the parameter "sysopt connection tcp - mss. I don't know what else to do here.

Here is a summary of the MTU settings on the head of line:

End of the head:

int tunnel0 (it's the GRE tunnel)

IP mtu 1420

source of tunnel G0/0

dest X.X.X.X

tunnel path-mtu-discovery

card crypto vpn 1

tunnel GRE Description

blah blah blah

card crypto vpn 2

Description IPSec tunnel

blah blah blah

int g0/0 (external interface)

no ip redirection

no ip unreachable

no ip proxy-arp

Check IP unicast reverse

NAT outside IP

IP virtual-reassembly

vpn crypto card

int g0/1 (this is the interface to the server in question)

no ip redirection

no ip unreachable

no ip proxy-arp

IP nat inside

IP virtual-reassembly

IP tcp adjust-mss 1452

HA, sorry my bad. Read the previous post wrong.

(Note: Yes, the SMS on the tunnel interface should be 40 bytes less than MTU).

Do not twist the MTU, not for TCP problems (not as the first step), it is safer to play with the MSS. MTU may depend on other things (OSPF for example).

Make a sweep of a ping with DF bit set with the size (from 1300 bytes for example). By doing this, you want to check what is the maximum size of the package, which you can test through the IPsec tunnel. Once you have this value consider - subtract 40 and this defined as value MSS of the LAN interface (and adjust the value of PIX if you can).

M.

OSPF on PIX w / 6.2

Similar Questions

Maybe you are looking for