RE: Passing Routing information across Firewall

From: Roberto Giana (Roberto.Giana@econis.com)
Date: Tue Sep 03 2002 - 15:01:34 GMT-3

• Next message: Young K. Bae: "IPExpert's CCIE Lab Guide"
• Previous message: Nammalwar, Purush: "RE: How to test VOIP without telephones"
• Maybe in reply to: Dan Lockwood: "RE: Passing Routing information across Firewall"
• Next in thread: Chuck Church: "RE: Passing Routing information across Firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi

Sorry. But I think this doesn't work. As the routers see each other as next
hop through the tunnel (no matter what metric you're using) they will always
forward the traffic through the tunnel because they are not aware of the
firewall as a routing device between the 192.168.x.y networks.
The only way would be using eBGP as already described in this thread by
Craig Dorry.
BTW: Be aware of route recursions on using tunnels with RIP in RIP-networks!
:-)

BTW: Why not enabling routing on the Firewall? If your perimeter routers do
already exchange dynamic updates then it doesn't matter if your firewall
does it too. It doesn't matter if you're screwed because someone messed your
routing tables only on the perimeter routers or on the routers AND your
firewall. ;-)
But anyway. Even when your routers are exchanging routing updates
dynamically, your FW-policies aren't changed dynamically. So where would the
benefit be of using dynamic routing?

Best regards
Roberto

-----Original Message-----
From: folivore [mailto:folivore@hotmail.com]
Sent: Dienstag, 3. September 2002 18:44
To: Charles Huang; CCIE
Subject: Re: Passing Routing information across Firewall

still use tunnel and increase hop counts or any metrics on it

----- Original Message -----
From: "Charles Huang" <routing@icharles.no-ip.com>
To: "CCIE" <ccielab@groupstudy.com>
Sent: Tuesday, September 03, 2002 2:18 PM
Subject: OT: Passing Routing information across Firewall

> Hi All,
>
> This may be a bit OT.
>
> does anybody know how to pass routing formation across the firewall ?
> tunnel would be an option to pass routing updates ONLY. The "normal" IP
> traffic should still passes through the firewall. Assuming the firewall
> does not support any routing protocol. Here is a little diagram hope it
> might clarify the question.
>
> 10.1.1.0/24--R1--192.168.1.0/24--Firewall--192.168.2.0/24--R2--10.2.2.0/24
>
> R2 needs to learn 10.1.1.0/24 from R1
> R1 needs to learn 10.2.2.0/24 from R2
> tunnel between R1 & R2 is an option. but only to pass route update/hello
> only.
> all IP traffic must route through the firewall.
>
>
> Any help would be appreciated
> Thanks in advance
> Charles

• Next message: Young K. Bae: "IPExpert's CCIE Lab Guide"
• Previous message: Nammalwar, Purush: "RE: How to test VOIP without telephones"
• Maybe in reply to: Dan Lockwood: "RE: Passing Routing information across Firewall"
• Next in thread: Chuck Church: "RE: Passing Routing information across Firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:43:42 GMT-3