[c-nsp] eigrp question

Jim McBurnett jim at tgasolutions.com
Wed Jan 5 16:53:15 EST 2005




IE. In the PIX firewall, if I was to do this I would do it like this:

1. STATIC command to allow X IP to inside router IP
2. ACL to permit eigrp from external router only to internal router via
the static command
3. configure the neighbor command on the external and internal routers
to identify each other.
4. Add a loopback interface on both routers with an unused IP address to
test the routing protocol.
5. Use access-list / route-maps to restrict the routes sent to and from
each router.
6. once communications was up, then secure it with MD5
7. remove the loopbacks.

I have used GRE and EIGRP and IPSEC before, but only if I was going to
secure GRE traffic thru firewalls and provide global routing on a VPN
tunnel design.

In this case if you are not careful with your ACL's on the IPSEC and the
GRE you may allow internet traffic to totally bypass your Firewall
totally....


Jim


-----Original Message-----
From: Kern, Tom [mailto:tkern at CHARMER.COM] 
Sent: Wednesday, January 05, 2005 3:57 PM
To: Cisco List 2 (E-mail)
Subject: RE: [c-nsp] eigrp question


so if i open ipsec in my firewall, will that allow a gre tunnel from my
internet router to my internal router to pass eigrp info?
thanks
-----Original Message-----
From: Serguei Bezverkhi [mailto:sbezverkhi at hotmail.com]
Sent: Wednesday, January 05, 2005 2:19 PM
To: Kern, Tom
Subject: RE: [c-nsp] eigrp question


To be able to deal with IPSec you will need to enable 

UDP port 500 - isakmp negotiation
ESP protocol type 50 

you do not really need it but FYI:

PPTP uses TCP port 1723
GRE protocol type 47

Unfortunately I do not know sonicwall, I work only with Cisco. Using PIX
it is very easy to accomplish.



Serguei

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Kern, Tom
Sent: Wednesday, January 05, 2005 1:37 PM
To: Cisco List 2 (E-mail)
Subject: RE: [c-nsp] eigrp question

the sonicwall has a built in ipsec(esp) rule however it seems to use ip
ports 0 and 50. it also has a ike rule and pptp. the pptp rule uses
ports
1723 and ip port 6? I thought pptp IS gre?
shouldn't it use ip port 47?
thanks

-----Original Message-----
From: Serguei Bezverkhi [mailto:sbezverkhi at hotmail.com]
Sent: Wednesday, January 05, 2005 1:16 PM
To: Kern, Tom
Subject: RE: [c-nsp] eigrp question


You can also try to encrypt GRE tunnel using IPSec tunnel mode, so your
firewall will se only IPSec traffic. Hopefully your firewall will allow
IPSec pass through.

Serguei

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Kern, Tom
Sent: Wednesday, January 05, 2005 1:01 PM
To: Cisco List 2 (E-mail)
Subject: RE: [c-nsp] eigrp question

there is a router outside the firewall. its the stub router and only has
static routes.
i looked into SAA probes but my ios(12.2(6)) doesn't support it and the
one that does is too big for my flash and of course the powers that be
don't want to shell out any $$$ for a new flash card.

finally, i think i'm screwed because the sonicwall pro 100 in the remote
site doesn't have any pre built services for gre and doesn't have an
option to create a rule based on IP ports only tcp/udp.
sigh....

-----Original Message-----
From: barney gumbo [mailto:barney.gumbo at gmail.com]
Sent: Wednesday, January 05, 2005 12:53 PM
To: Kern, Tom
Subject: Re: [c-nsp] eigrp question


Is there a router beyond (outside) the firewall?  If so, GRE over EIGRP
will get the EIGRP packets through the firewall.  In other words, build
a GRE tunnel through the firewall and add the GRE network (on both
routers) into EIGRP.  Be careful not to redistribute the external
routing protocol (if there is one) into EIGRP and vice-versa.

BGP is actually quite simple on a basic level.  It get's tricky when you
need to exchange routes between BGP and an IGP, in this case EIGRP.

However, it sounds like you don't have a router on the outside of the
firewall.  In this case you can set up policy-routing which will ping a
network, if the ping fails, the policy-routing will kick in and change
the route you need changed.

Check these links-

http://www.cisco.com/en/US/about/ac123/ac114/ac173/Q2-04/department_tech
tips
html

http://www.cisco.com/warp/public/784/packet/apr04/pdfs/dept_tt_scenarios
.pdf

I use these features in my network.  Specifically I ping a destination
host that we're not exchanging routes with.  When that ping test fails,
policy-routing kicks in and the backup route is injected.  Once the
pings start working again, the original route is re-injected. 
Works quite well.

--Barn

On Wed, 5 Jan 2005 12:29:58 -0500, Kern, Tom <tkern at charmer.com> wrote:
> I'm trying to set up an internet redudancy plan. i have 3 sites all
connected via T1's. each site has its own internet connection(frame
relay) and i'd like to set it up so if one site's firewall(sonicwall and
watchguard) go down or the internet link goes down, internet traffic
will automagically be rerouted via one of the other site's internet
connection.
> i'm avoiding bgp because i have no experince with it.
> all my routers run eigrp. i thought using "ip default-network" would
work.
but if eigrp neighbors need to be on the same subnet, this won't help
me.
also eigrp would only work if the whole router went down(rare). i want
the routes to change if the serial link is down.
> 
> does anyone know of a way to make this work? is it possible?
> thanks
> 
> -----Original Message-----
> From: Michel Py [mailto:michel at arneill-py.sacramento.ca.us]
> Sent: Wednesday, January 05, 2005 12:20 PM
> To: Kern, Tom
> Subject: RE: [c-nsp] eigrp question
> 
> > would an eigrp neighbor relationship be formed between
> > 2 routers if they are on seperate subnets?
> 
> No. (I would be very interested in this if it could work). So far the 
> only thing I got to route across a firewall is either a tunnel (which 
> defeats having a firewall) or BGP.
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/




More information about the cisco-nsp mailing list