• If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.
Xin chào ! Nếu đây là lần đầu tiên bạn đến với diễn đàn, xin vui lòng danh ra một phút bấm vào đây để đăng kí và tham gia thảo luận cùng VnPro.

Announcement

Collapse
No announcement yet.

Passing routing updates through the firewall

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Passing routing updates through the firewall


    Yesterday I was discussing some security related things with a few people @ a customer’s location and had this question posed to me:

    Requirement:

    Can you establish an OSPF neighbor relationship between two routers separated by a PIX or ASA firewall without using a GRE Tunnel or static ARP entries?


    Upon looking at the requirement one would think “that just isn’t possible”…well I sat down this morning and figured out that it is…So if a customer ever has the above stated requirement please feel free to use the configs I have below. Also I used OSPF in this setup, I broke it down and build it again with EIGRP and it works also…As some of you may know with 7.0 code on the ASA/PIX you can run OSPF directly on the firewall however I do come across sec op customers whom refuse to use anything other than default and static routes on their firewall….If this is your case then you can these configurations. In this example I’m exchanging the loopback networks through the firewalls…

    Setup
    R1 —-(inside)—-PIX —–(outside)—-R2

    Code:
    R1#wr t…
    !
    interface Loopback0 
    ip address 1.1.1.1 255.255.255.0
    !
    interface FastEthernet0/0 
    description “*** Connected to PIX Inside E1 Interface ***” 
    ip address 10.2.2.1 255.255.255.0
    secondary ip address 192.168.100.1 255.255.255.0 
    no ip proxy-arp 
    no ip redirects 
    no ip unreachables 
    ip ospf network non-broadcast 
    load-interval 30 
    duplex auto 
    speed auto
    !
    interface FastEthernet0/1 
    description “*** CONNECTED TO CATALYST PORT FE0/2 ***” 
    ip address 10.1.1.1 255.255.255.0
    !
    router ospf 50 
    router-id 1.1.1.1 
    log-adjacency-changes 
    network 1.1.1.0 0.0.0.255 area 0 
    network 10.1.1.0 0.0.0.255 area 0 
    network 192.168.100.0 0.0.0.255 area 0 
    neighbor 192.168.100.2 priority 1
    !
    ip route 0.0.0.0 0.0.0.0 10.2.2.10
     R1#
    R1#sh ip route
    Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
           i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
           * - candidate default, U - per-user static route, o - ODR
           P - periodic downloaded static routeGateway of last resort is 0.0.0.0 to network 0.0.0.0     1.0.0.0/24 is subnetted, 1 subnets
    C       1.1.1.0 is directly connected, Loopback0
         2.0.0.0/32 is subnetted, 1 subnets
    O       2.2.2.2 [110/2] via 192.168.100.2, 00:11:36, FastEthernet0/0
         10.0.0.0/24 is subnetted, 2 subnets
    C       10.2.2.0 is directly connected, FastEthernet0/0
    C       10.1.1.0 is directly connected, FastEthernet0/1
    C    192.168.100.0/24 is directly connected, FastEthernet0/0
    S*   0.0.0.0/0 is directly connected, FastEthernet0/0
    R1#
    !
    !
    !

    Code:
     PIX# wr t
    Building configuration…
    access-list 100 permit icmp any any
    access-list 100 permit ospf any any
    ip address outside 192.1.12.10 255.255.255.0
    ip address inside 10.2.2.10 255.255.255.0
    static (inside,outside) 192.168.100.1 192.168.100.1 netmask 255.255.255.255 0 0 norandomseq
    static (outside,inside) 192.168.100.2 192.168.100.2 netmask 255.255.255.255 0 0 norandomseq
    access-group 100 in interface outside
    route outside 0.0.0.0 0.0.0.0 192.1.12.2 1
    route inside 192.168.100.1 255.255.255.255 10.2.2.1 1
    PIX# 
    !
    !
    !

    Code:
     R2#wr t
    !
    interface Loopback0
     ip address 2.2.2.2 255.255.255.0
    !
    interface FastEthernet0/1
     description “*** Connected to PIX outside E0 Interface ***”
     ip address 192.1.12.2 255.255.255.0 secondary
     ip address 192.168.100.2 255.255.255.0
     no ip proxy-arp
     no ip redirects
     no ip unreachables
     ip ospf network non-broadcast
     load-interval 30
     duplex auto
     speed auto
    !        
    router ospf 50
     router-id 2.2.2.2
     log-adjacency-changes
     network 2.2.2.0 0.0.0.255 area 0
     network 192.168.100.0 0.0.0.255 area 0
     neighbor 192.168.100.1 priority 1
    !
    ip route 0.0.0.0 0.0.0.0 192.1.12.10
    ![FONT=Georgia]
    [/FONT] R2#
    R2#sh ip route
    Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
           * - candidate default, U - per-user static route, o - ODR
           P - periodic downloaded static routeGateway of last resort is 192.1.12.10 to network 0.0.0.0C    192.1.12.0/24 is directly connected, FastEthernet0/1
         1.0.0.0/32 is subnetted, 1 subnets
    O       1.1.1.1 [110/2] via 192.168.100.1, 00:11:09, FastEthernet0/1
         2.0.0.0/24 is subnetted, 1 subnets
    C       2.2.2.0 is directly connected, Loopback0
    C    192.1.25.0/24 is directly connected, Serial0/0.5
    C    192.1.24.0/24 is directly connected, Serial0/0.4
    C    192.1.26.0/24 is directly connected, Serial0/0.6
         10.0.0.0/24 is subnetted, 1 subnets
    O       10.1.1.0 [110/2] via 192.168.100.1, 00:11:10, FastEthernet0/1
    C    192.168.100.0/24 is directly connected, FastEthernet0/1
    S*   0.0.0.0/0 [1/0] via 192.1.12.10
    R2#
    Trần Mỹ Phúc
    tranmyphuc@hotmail.com
    Hãy add nick để có thông tin đề thi mới nhất :tranmyphuc (Hỗ trợ tối đa cho các bạn tự học)

    Cisco Certs : CCNP (Passed TSHOOT 1000/1000)

    Juniper Certs :
    JNCIP-ENT & JNCIP-SEC
    INSTRUCTORS (No Fee) : CISCO (Professional) , JUNIPER (Professional) , Microsoft ...

    [version 4.0] Ôn tập CCNA


Working...
X