Yesterday I was discussing some security related things with a few people @ a customer’s location and had this question posed to me:
Requirement:
Can you establish an OSPF neighbor relationship between two routers separated by a PIX or ASA firewall without using a GRE Tunnel or static ARP entries?
Upon looking at the requirement one would think “that just isn’t possible”…well I sat down this morning and figured out that it is…So if a customer ever has the above stated requirement please feel free to use the configs I have below. Also I used OSPF in this setup, I broke it down and build it again with EIGRP and it works also…As some of you may know with 7.0 code on the ASA/PIX you can run OSPF directly on the firewall however I do come across sec op customers whom refuse to use anything other than default and static routes on their firewall….If this is your case then you can these configurations. In this example I’m exchanging the loopback networks through the firewalls…
Setup
R1 —-(inside)—-PIX —–(outside)—-R2
Code:
R1#wr t… ! interface Loopback0 ip address 1.1.1.1 255.255.255.0 ! interface FastEthernet0/0 description “*** Connected to PIX Inside E1 Interface ***” ip address 10.2.2.1 255.255.255.0 secondary ip address 192.168.100.1 255.255.255.0 no ip proxy-arp no ip redirects no ip unreachables ip ospf network non-broadcast load-interval 30 duplex auto speed auto ! interface FastEthernet0/1 description “*** CONNECTED TO CATALYST PORT FE0/2 ***” ip address 10.1.1.1 255.255.255.0 ! router ospf 50 router-id 1.1.1.1 log-adjacency-changes network 1.1.1.0 0.0.0.255 area 0 network 10.1.1.0 0.0.0.255 area 0 network 192.168.100.0 0.0.0.255 area 0 neighbor 192.168.100.2 priority 1 ! ip route 0.0.0.0 0.0.0.0 10.2.2.10 R1# R1#sh ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static routeGateway of last resort is 0.0.0.0 to network 0.0.0.0 1.0.0.0/24 is subnetted, 1 subnets C 1.1.1.0 is directly connected, Loopback0 2.0.0.0/32 is subnetted, 1 subnets O 2.2.2.2 [110/2] via 192.168.100.2, 00:11:36, FastEthernet0/0 10.0.0.0/24 is subnetted, 2 subnets C 10.2.2.0 is directly connected, FastEthernet0/0 C 10.1.1.0 is directly connected, FastEthernet0/1 C 192.168.100.0/24 is directly connected, FastEthernet0/0 S* 0.0.0.0/0 is directly connected, FastEthernet0/0 R1# ! ! !
Code:
PIX# wr t Building configuration… access-list 100 permit icmp any any access-list 100 permit ospf any any ip address outside 192.1.12.10 255.255.255.0 ip address inside 10.2.2.10 255.255.255.0 static (inside,outside) 192.168.100.1 192.168.100.1 netmask 255.255.255.255 0 0 norandomseq static (outside,inside) 192.168.100.2 192.168.100.2 netmask 255.255.255.255 0 0 norandomseq access-group 100 in interface outside route outside 0.0.0.0 0.0.0.0 192.1.12.2 1 route inside 192.168.100.1 255.255.255.255 10.2.2.1 1 PIX# ! ! !
Code:
R2#wr t ! interface Loopback0 ip address 2.2.2.2 255.255.255.0 ! interface FastEthernet0/1 description “*** Connected to PIX outside E0 Interface ***” ip address 192.1.12.2 255.255.255.0 secondary ip address 192.168.100.2 255.255.255.0 no ip proxy-arp no ip redirects no ip unreachables ip ospf network non-broadcast load-interval 30 duplex auto speed auto ! router ospf 50 router-id 2.2.2.2 log-adjacency-changes network 2.2.2.0 0.0.0.255 area 0 network 192.168.100.0 0.0.0.255 area 0 neighbor 192.168.100.1 priority 1 ! ip route 0.0.0.0 0.0.0.0 192.1.12.10 ![FONT=Georgia] [/FONT] R2# R2#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static routeGateway of last resort is 192.1.12.10 to network 0.0.0.0C 192.1.12.0/24 is directly connected, FastEthernet0/1 1.0.0.0/32 is subnetted, 1 subnets O 1.1.1.1 [110/2] via 192.168.100.1, 00:11:09, FastEthernet0/1 2.0.0.0/24 is subnetted, 1 subnets C 2.2.2.0 is directly connected, Loopback0 C 192.1.25.0/24 is directly connected, Serial0/0.5 C 192.1.24.0/24 is directly connected, Serial0/0.4 C 192.1.26.0/24 is directly connected, Serial0/0.6 10.0.0.0/24 is subnetted, 1 subnets O 10.1.1.0 [110/2] via 192.168.100.1, 00:11:10, FastEthernet0/1 C 192.168.100.0/24 is directly connected, FastEthernet0/1 S* 0.0.0.0/0 [1/0] via 192.1.12.10 R2#