[c-nsp] eigrp question

Rodney Dunn rodunn at cisco.com
Wed Jan 5 16:42:04 EST 2005


Yes if you build a GRE tunnel between the two routers.

The problem is all your traffic is now GRE encapsulated
going through the firewall so make sure that isn't
an issue with it.

On Wed, Jan 05, 2005 at 03:57:01PM -0500, Kern, Tom wrote:
> 
> so if i open ipsec in my firewall, will that allow a gre tunnel from my internet router to my internal router to pass eigrp info?
> thanks
> -----Original Message-----
> From: Serguei Bezverkhi [mailto:sbezverkhi at hotmail.com]
> Sent: Wednesday, January 05, 2005 2:19 PM
> To: Kern, Tom
> Subject: RE: [c-nsp] eigrp question
> 
> 
> To be able to deal with IPSec you will need to enable 
> 
> UDP port 500 - isakmp negotiation
> ESP protocol type 50 
> 
> you do not really need it but FYI:
> 
> PPTP uses TCP port 1723
> GRE protocol type 47
> 
> Unfortunately I do not know sonicwall, I work only with Cisco. Using PIX it
> is very easy to accomplish.
> 
> 
> 
> Serguei
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Kern, Tom
> Sent: Wednesday, January 05, 2005 1:37 PM
> To: Cisco List 2 (E-mail)
> Subject: RE: [c-nsp] eigrp question
> 
> the sonicwall has a built in ipsec(esp) rule however it seems to use ip
> ports 0 and 50. it also has a ike rule and pptp. the pptp rule uses ports
> 1723 and ip port 6? I thought pptp IS gre?
> shouldn't it use ip port 47?
> thanks
> 
> -----Original Message-----
> From: Serguei Bezverkhi [mailto:sbezverkhi at hotmail.com]
> Sent: Wednesday, January 05, 2005 1:16 PM
> To: Kern, Tom
> Subject: RE: [c-nsp] eigrp question
> 
> 
> You can also try to encrypt GRE tunnel using IPSec tunnel mode, so your
> firewall will se only IPSec traffic. Hopefully your firewall will allow
> IPSec pass through.
> 
> Serguei
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Kern, Tom
> Sent: Wednesday, January 05, 2005 1:01 PM
> To: Cisco List 2 (E-mail)
> Subject: RE: [c-nsp] eigrp question
> 
> there is a router outside the firewall. its the stub router and only has
> static routes.
> i looked into SAA probes but my ios(12.2(6)) doesn't support it and the one
> that does is too big for my flash and of course the powers that be don't
> want to shell out any $$$ for a new flash card.
> 
> finally, i think i'm screwed because the sonicwall pro 100 in the remote
> site doesn't have any pre built services for gre and doesn't have an option
> to create a rule based on IP ports only tcp/udp.
> sigh....
> 
> -----Original Message-----
> From: barney gumbo [mailto:barney.gumbo at gmail.com]
> Sent: Wednesday, January 05, 2005 12:53 PM
> To: Kern, Tom
> Subject: Re: [c-nsp] eigrp question
> 
> 
> Is there a router beyond (outside) the firewall?  If so, GRE over
> EIGRP will get the EIGRP packets through the firewall.  In other
> words, build a GRE tunnel through the firewall and add the GRE network
> (on both routers) into EIGRP.  Be careful not to redistribute the
> external routing protocol (if there is one) into EIGRP and vice-versa.
> 
> BGP is actually quite simple on a basic level.  It get's tricky when
> you need to exchange routes between BGP and an IGP, in this case
> EIGRP.
> 
> However, it sounds like you don't have a router on the outside of the
> firewall.  In this case you can set up policy-routing which will ping
> a network, if the ping fails, the policy-routing will kick in and
> change the route you need changed.
> 
> Check these links-
> 
> http://www.cisco.com/en/US/about/ac123/ac114/ac173/Q2-04/department_techtips
> html
> 
> http://www.cisco.com/warp/public/784/packet/apr04/pdfs/dept_tt_scenarios.pdf
> 
> I use these features in my network.  Specifically I ping a destination
> host that we're not exchanging routes with.  When that ping test
> fails, policy-routing kicks in and the backup route is injected.  Once
> the pings start working again, the original route is re-injected. 
> Works quite well.
> 
> --Barn
> 
> On Wed, 5 Jan 2005 12:29:58 -0500, Kern, Tom <tkern at charmer.com> wrote:
> > I'm trying to set up an internet redudancy plan. i have 3 sites all
> connected via T1's. each site has its own internet connection(frame relay)
> and i'd like to set it up so if one site's firewall(sonicwall and
> watchguard) go down or the internet link goes down, internet traffic will
> automagically be rerouted via one of the other site's internet connection.
> > i'm avoiding bgp because i have no experince with it.
> > all my routers run eigrp. i thought using "ip default-network" would work.
> but if eigrp neighbors need to be on the same subnet, this won't help me.
> also eigrp would only work if the whole router went down(rare). i want the
> routes to change if the serial link is down.
> > 
> > does anyone know of a way to make this work? is it possible?
> > thanks
> > 
> > -----Original Message-----
> > From: Michel Py [mailto:michel at arneill-py.sacramento.ca.us]
> > Sent: Wednesday, January 05, 2005 12:20 PM
> > To: Kern, Tom
> > Subject: RE: [c-nsp] eigrp question
> > 
> > > would an eigrp neighbor relationship be formed between
> > > 2 routers if they are on seperate subnets?
> > 
> > No. (I would be very interested in this if it could work). So far the
> > only thing I got to route across a firewall is either a tunnel (which
> > defeats having a firewall) or BGP.
> > 
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list