Re: Routing updates through a firewall

From: Brant I. Stevens (branto@branto.com)
Date: Sun Aug 21 2005 - 19:46:49 GMT-3

• Next message: john matijevic: "Re: Routing updates through a firewall"
• Previous message: gladston@br.ibm.com: "Re: CCIE #15045 !!!!"
• Maybe in reply to: cciein2006@yahoo.com: "Routing updates through a firewall"
• Next in thread: john matijevic: "Re: Routing updates through a firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Scott,

The tracking number for the package is 8389328765r022-xxd. ;)

But seriously, this is something that has always nagged me in the back of my
mind... If, for example, I have Router A that is my Internet router,
connected on an Ethernet network to the outside interface of a PIX firewall,
and Router B on the inside, and an IGP adjacency over the GRE tunnel
through the firewall between Routers A and B, won't the only required rule
on the firewall be to permit GRE between Routers A&B?

Or have I spent too much time in the sun?

Thanks,
Brant.

On 8/21/05 2:46 PM, "Scott Morris" <swm@emanon.com> wrote:

> How about sending your firewall to me since you don't use it. :)
>
> Scott
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Tony
> Schaffran
> Sent: Sunday, August 21, 2005 12:58 PM
> To: 'Brant I. Stevens'; 'Sayeed Kachroo'; cciein2006@yahoo.com;
> ccielab@groupstudy.com
> Subject: RE: Routing updates through a firewall
>
> How about a GRE tunnel through a VPN connection?
>
> Tony Schaffran
> Network Analyst
> CCIE #11071
> CCNP, CCNA, CCDA,
> NNCDS, NNCSS, CNE, MCSE
>
> www.cconlinelabs.com
> Your #1 choice for online Cisco rack rentals.
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Brant I. Stevens
> Sent: Sunday, August 21, 2005 9:31 AM
> To: Sayeed Kachroo; cciein2006@yahoo.com; ccielab@groupstudy.com
> Subject: Re: Routing updates through a firewall
>
>
> Correct me if I'm wrong, but, doesn't using a GRE tunnel for such a purpose
> basically negate using a firewall once you permit the GRE tunnel through it?
> You would have to add ACLs to the GRE tunnel to permit/deny traffic as
> desired, and if you weren't using a FW feature set, it would only give you
> packet filtering; not stateful inspection.
>
> BGP will give you the best path to a destination, but the specific traffic
> type must be permitted through the firewall.
>
> On 8/20/05 1:28 AM, "Sayeed Kachroo" <sayeedk@hotmail.com> wrote:
>
>> Well i think with redistribution you will lose bgp attribute , i dont
>> think that is a good idea. How about using gre. Pass the gre traffic
>> through the pix.
>>
>> SK
>>
>> ______________________________________________________________________
>> _ Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: john matijevic: "Re: Routing updates through a firewall"
• Previous message: gladston@br.ibm.com: "Re: CCIE #15045 !!!!"
• Maybe in reply to: cciein2006@yahoo.com: "Routing updates through a firewall"
• Next in thread: john matijevic: "Re: Routing updates through a firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:01:19 GMT-3