RE: Passing Routing information across Firewall

From: Gyori Gábor (Gabor.Gyori@lnx.hu)
Date: Wed Sep 04 2002 - 13:22:28 GMT-3

• Next message: Geoff Zinderdine: "For New Members: Invitation to an IRC Server for CCIE Study"
• Previous message: Tan huynh Ngoc: "Show running config exec"
• Maybe in reply to: Dan Lockwood: "RE: Passing Routing information across Firewall"
• Next in thread: Harris, Joe F: "RE: Passing Routing information across Firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

The only way run IGP through firewall is tunnel, or run routing protocol on the firewall itself.

The reasons:
 - The packets containing routing info has TTL 1. The firewall should check it and drop the packet
 - The neighboring routers shold share the same subnet, but different subnet has to be defined on firewall interfaces
   Firewall usally does not use proxy ARP, so seting a common subnet on the two routers and the halves of it on firewall does not
   help (usually).

Gabor

> -----Original Message-----
> From: Roderick B. Greening [mailto:rgreening@gt.ca]
> Sent: Wednesday, September 04, 2002 5:06 PM
> To: 'Charles Huang'; CCIE
> Subject: RE: Passing Routing information across Firewall
>
>
> If you're passing traffic through a firewall, then the
> assumption is that
> you have two seperate automous enities. BGP should probably
> be used in a
> case like that. You can configure BGP with private AS numbers
> if you are not
> connecting the AS to the internet or if you are homing to
> only one ISP.
>
> -----Original Message-----
> From: Charles Huang [mailto:routing@icharles.no-ip.com]
> Sent: Tuesday, September 03, 2002 5:44 PM
> To: Charles Huang; CCIE
> Subject: RE: Passing Routing information across Firewall
>
>
> Sorry, I forgot to mention no BGP. I prefer to use routing
> protocols like
> EIGRP, OSPF and/or RIP.
>
> Thanks
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Charles Huang
> Sent: Tuesday, September 03, 2002 12:19 PM
> To: CCIE
> Subject: OT: Passing Routing information across Firewall
>
>
> Hi All,
>
> This may be a bit OT.
>
> does anybody know how to pass routing formation across the firewall ?
> tunnel would be an option to pass routing updates ONLY. The
> "normal" IP
> traffic should still passes through the firewall. Assuming
> the firewall
> does not support any routing protocol. Here is a little
> diagram hope it
> might clarify the question.
>
> 10.1.1.0/24--R1--192.168.1.0/24--Firewall--192.168.2.0/24--R2-
> -10.2.2.0/24
>
> R2 needs to learn 10.1.1.0/24 from R1
> R1 needs to learn 10.2.2.0/24 from R2
> tunnel between R1 & R2 is an option. but only to pass route
> update/hello
> only.
> all IP traffic must route through the firewall.
>
>
> Any help would be appreciated
> Thanks in advance
> Charles

• Next message: Geoff Zinderdine: "For New Members: Invitation to an IRC Server for CCIE Study"
• Previous message: Tan huynh Ngoc: "Show running config exec"
• Maybe in reply to: Dan Lockwood: "RE: Passing Routing information across Firewall"
• Next in thread: Harris, Joe F: "RE: Passing Routing information across Firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:43:44 GMT-3