[nsp] OSPF x firewall

[Mussie]

I believe Jim has suggested this before.  If you wish to interconnect two
routers via OSPF across the firewall the best option might be to create
tunnel interface and use GRE or IPnIP as an encapsulation.  The only thing
you need on the firewall is to allow Protocol 47 [GRE] or protocol-4
[IP-in-IP] from the respective router interfaces (which ever one is source
interface for your tunnel). 

Regards,
Mussie 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ives Dekoninck
Sent: Wednesday, December 31, 2003 3:43 AM
To: Andy Furnell
Cc: cisco-nsp at puck.nether.net
Subject: RE: [nsp] OSPF x firewall

Configure the firewall with static routes using a default and other more
specific routes. An alternative could be to run a routing protocol
between router and FW, though I would not suggest that. (Routers do
routing, FW do firewalling).

Cheers,

-Ives-

-----Original Message-----
From: Andy Furnell [mailto:andy at furnell.org.uk]
Sent: mercredi 31 décembre 2003 9:35
To: Ives Dekoninck
Cc: cisco-nsp at puck.nether.net
Subject: Re: [nsp] OSPF x firewall


On Wed, Dec 31, 2003 at 08:38:11AM +0100, Ives Dekoninck wrote:
> 
> Hi, Dimitri
> 
> IF you need two routers to talk a dynamic routing protocol with a FW
in
> the middle, I would suggest running BGP between the two.
> 
> The advantage of BGP is that you don't need to be on the same subnet
as
> long as it knows the route (static route) to the neighbour. The other
> advantage of running BGP is that on the firewall you only need to open
> TCP port 179 from the inside to the outside network.
> 
> Hope this helps,
> 

The firewall still has to know where to route the packets while it's
passing them between routers.

A

-- 
Andy Furnell
andy at furnell.org.uk

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/