[nsp] OSPF x firewall
Gert Doering
gert at greenie.muc.de
Fri Jan 2 14:51:58 EST 2004
Hi,
On Fri, Jan 02, 2004 at 10:45:16AM -0500, Mussie wrote:
> I believe Jim has suggested this before. If you wish to interconnect two
> routers via OSPF across the firewall the best option might be to create
> tunnel interface and use GRE or IPnIP as an encapsulation. The only thing
> you need on the firewall is to allow Protocol 47 [GRE] or protocol-4
> [IP-in-IP] from the respective router interfaces (which ever one is source
> interface for your tunnel).
As has also been mentioned before: what good is speaking dynamic
routing protocols through a device if that device doesn't know the
routes in question? The firewall needs to know which IPs are "inside"
and "outside" as well - so if you're routing around it, you won't gain
anything (except if you send the packets through the OSPF tunnel as
well - in that case, you've effectively removed the firewall).
The whole initial setup is flawed and should be re-thought.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
More information about the cisco-nsp
mailing list