From: Larson, Chris (CLarson@usaid.gov)
Date: Wed Sep 04 2002 - 14:18:05 GMT-3
I just tried it and it didn't work so.............
I thought I remembered doing this for someone, but I think it was eBGP
through the firewall.
-----Original Message-----
From: Larson, Chris
Sent: Wednesday, September 04, 2002 1:10 PM
To: 'Harris, Joe F'; Roderick B. Greening; 'Charles Huang'; CCIE
Subject: RE: Passing Routing information across Firewall
If it is eigrp, can't a person simply unicast eigrp by adding the passive
interface and the bneighbor command and punch a hole through the firewall
for communication between routers? I would think this would be fine as long
as there were static routes on the routers before and after the firewall
with the statics pointing to the neighbor with firewall as next hop.
-----Original Message-----
From: Harris, Joe F [mailto:Joe_Harris@AIMFUNDS.COM]
Sent: Wednesday, September 04, 2002 12:28 PM
To: Roderick B. Greening; 'Charles Huang'; CCIE
Subject: RE: Passing Routing information across Firewall
You can tunnel the EIGRP traffic through the firewall, however it not
recommended and BGP is the best choice. In your case you would need to use a
distribute-list for the tunnel, so that only the networks that you want via
the tunnel are learned via the tunnel. Here would be an example, some of the
configs have been left out but it should be enough to give you an idea:
Router 1
interface Tunnel0
ip address 172.16.23.3 255.255.255.0
ip authentication mode eigrp 9 md5
ip authentication key-chain eigrp 9 EIGRP-KEY
ip summary-address eigrp 9 10.1.X.X 255.X.X.X 5 - You can annouce a
summary if needed
tunnel source 192.168.1.3 - Ethernet Interface
connected to PIX
tunnel destination 192.168.2.2 - Ethernet Interface of
R2 connected to PIX
router eigrp 9
passive-interface default
no passive-interface E0
network 10.0.0.0
distribute-list 4 out Tunnel0
no auto-summary
eigrp log-neighbor-changes
access-list 4 deny "Whatever routes you want to deny"
access-list 4 permit "Whatever routes you want to permit"
Router 2
interface Tunnel0
ip address 172.16.23.2 255.255.255.0
ip authentication mode eigrp 9 md5
ip authentication key-chain eigrp 9 EIGRP-KEY
ip summary-address eigrp 9 10.2.X.X 255.X.X.X 5 - You can annouce a
summary if needed
tunnel source 192.168.2.2 - Ethernet Interface
conencted to PIX
tunnel destination 192.168.2.3 - Ethernet Interface of
R1 connected to
PIX,
staically mapped at PIX
router eigrp 9
passive-interface default
no passive-interface E0
network 10.0.0.0
distribute-list 4 out Tunnel0
no auto-summary
eigrp log-neighbor-changes
access-list 4 deny "Whatever routes you want to deny"
access-list 4 permit "Whatever routes you want to permit"
PIX
ip address outside 192.168.2.1 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
global (outside) 1 192.168.2.20-192.168.2.254 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.2.3 192.168.1.2 netmask 255.255.255.255 0 0
access-list 1 permit gre host 192.166.2.2 host 192.168.2.3
access-group 1 in interface outside
Joe Harris
CCIE# 6200
CSS1, CISSP
Cisco Network Security
ISBN: 1932111654
11 Greenway Plaza, Suite 100
Houston, TX. 77046
713-214-4962
-----Original Message-----
From: Roderick B. Greening [mailto:rgreening@gt.ca]
Sent: Wednesday, September 04, 2002 10:06 AM
To: 'Charles Huang'; CCIE
Subject: RE: Passing Routing information across Firewall
If you're passing traffic through a firewall, then the assumption is that
you have two seperate automous enities. BGP should probably be used in a
case like that. You can configure BGP with private AS numbers if you are not
connecting the AS to the internet or if you are homing to only one ISP.
-----Original Message-----
From: Charles Huang [mailto:routing@icharles.no-ip.com]
Sent: Tuesday, September 03, 2002 5:44 PM
To: Charles Huang; CCIE
Subject: RE: Passing Routing information across Firewall
Sorry, I forgot to mention no BGP. I prefer to use routing protocols like
EIGRP, OSPF and/or RIP.
Thanks
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Charles Huang
Sent: Tuesday, September 03, 2002 12:19 PM
To: CCIE
Subject: OT: Passing Routing information across Firewall
Hi All,
This may be a bit OT.
does anybody know how to pass routing formation across the firewall ?
tunnel would be an option to pass routing updates ONLY. The "normal" IP
traffic should still passes through the firewall. Assuming the firewall
does not support any routing protocol. Here is a little diagram hope it
might clarify the question.
10.1.1.0/24--R1--192.168.1.0/24--Firewall--192.168.2.0/24--R2--10.2.2.0/24
R2 needs to learn 10.1.1.0/24 from R1
R1 needs to learn 10.2.2.0/24 from R2
tunnel between R1 & R2 is an option. but only to pass route update/hello
only.
all IP traffic must route through the firewall.
Any help would be appreciated
Thanks in advance
Charles
This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:43:44 GMT-3