RE: Passing Routing information across Firewall

From: David C Prall (dcp@dcptech.com)
Date: Sun Sep 08 2002 - 13:08:34 GMT-3

• Next message: David C Prall: "RE: New IOS Feature Request"
• Previous message: Chris Hugo: "RE: Null Routes- And when it's safe to remove"
• Maybe in reply to: Dan Lockwood: "RE: Passing Routing information across Firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Use the neighbor command within the routing protocol so that it is Unicast.
Now the unicast packets will have a TTL of 1 and the neighbor must be on the
same subnet. So we have to setup NAT for these neighbors. With the PIX it
will not decrement the TTL so that it is hidden during the updates. For OSPF
the Ethernet interfaces will have to be configured as point-to-multipoint,
EIGRP will have to be a recent version of IOS in order to actually accept
and work with the neighbor statements. Of course none of this will ever
actually be supported by Cisco. Somewhere around here I have some sample
configs of doing this, but in the end we just used BGP because we could
better watch upstream interface in order to submit a default through the
firewalls. With BGP you will also need to turn off random sequencing in
order to use passwords. I've used both iBGP and eBGP for doing this.

David

--
David C Prall dcp@dcptech.com http://dcp.dcptech.com
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Charles Huang
> Sent: Tuesday, September 03, 2002 3:19 PM
> To: CCIE
> Subject: OT: Passing Routing information across Firewall
>
>
> Hi All,
>
> This may be a bit OT.
>
> does anybody know how to pass routing formation across the firewall ?
> tunnel would be an option to pass routing updates ONLY.  The "normal" IP
> traffic should still passes through the firewall.  Assuming the firewall
> does not support any routing protocol.  Here is a little diagram hope it
> might clarify the question.
>
> 10.1.1.0/24--R1--192.168.1.0/24--Firewall--192.168.2.0/24--R2--10.2.2.0/24
>
> R2 needs to learn 10.1.1.0/24 from R1
> R1 needs to learn 10.2.2.0/24 from R2
> tunnel between R1 & R2 is an option.  but only to pass route update/hello
> only.
> all IP traffic must route through the firewall.
>
>
> Any help would be appreciated
> Thanks in advance
> Charles

• Next message: David C Prall: "RE: New IOS Feature Request"
• Previous message: Chris Hugo: "RE: Null Routes- And when it's safe to remove"
• Maybe in reply to: Dan Lockwood: "RE: Passing Routing information across Firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:43:46 GMT-3