From: john matijevic (john.matijevic@gmail.com)
Date: Sun Aug 21 2005 - 20:39:52 GMT-3
Hello Brant,
What is the issue that you are having? Why do you need to advertise the bgp
route to your pix firewalls? What are you trying to accomplish here by
sending bgp (external) routes to your pix firewalls to the internal network?
You can just point static routes on your pix to go to the outside. Please
post your config and respond offline if you would like to discuss further.
Sincerely,
John
On 8/21/05, Brant I. Stevens <branto@branto.com> wrote:
>
> Scott,
>
> The tracking number for the package is 8389328765r022-xxd. ;)
>
> But seriously, this is something that has always nagged me in the back of
> my
> mind... If, for example, I have Router A that is my Internet router,
> connected on an Ethernet network to the outside interface of a PIX
> firewall,
> and Router B on the inside, and an IGP adjacency over the GRE tunnel
> through the firewall between Routers A and B, won't the only required rule
> on the firewall be to permit GRE between Routers A&B?
>
> Or have I spent too much time in the sun?
>
> Thanks,
> Brant.
>
>
> On 8/21/05 2:46 PM, "Scott Morris" <swm@emanon.com> wrote:
>
> > How about sending your firewall to me since you don't use it. :)
> >
> > Scott
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Tony
> > Schaffran
> > Sent: Sunday, August 21, 2005 12:58 PM
> > To: 'Brant I. Stevens'; 'Sayeed Kachroo'; cciein2006@yahoo.com;
> > ccielab@groupstudy.com
> > Subject: RE: Routing updates through a firewall
> >
> > How about a GRE tunnel through a VPN connection?
> >
> > Tony Schaffran
> > Network Analyst
> > CCIE #11071
> > CCNP, CCNA, CCDA,
> > NNCDS, NNCSS, CNE, MCSE
> >
> > www.cconlinelabs.com <http://www.cconlinelabs.com>
> > Your #1 choice for online Cisco rack rentals.
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Brant I. Stevens
> > Sent: Sunday, August 21, 2005 9:31 AM
> > To: Sayeed Kachroo; cciein2006@yahoo.com; ccielab@groupstudy.com
> > Subject: Re: Routing updates through a firewall
> >
> >
> > Correct me if I'm wrong, but, doesn't using a GRE tunnel for such a
> purpose
> > basically negate using a firewall once you permit the GRE tunnel through
> it?
> > You would have to add ACLs to the GRE tunnel to permit/deny traffic as
> > desired, and if you weren't using a FW feature set, it would only give
> you
> > packet filtering; not stateful inspection.
> >
> > BGP will give you the best path to a destination, but the specific
> traffic
> > type must be permitted through the firewall.
> >
> > On 8/20/05 1:28 AM, "Sayeed Kachroo" <sayeedk@hotmail.com> wrote:
> >
> >> Well i think with redistribution you will lose bgp attribute , i dont
> >> think that is a good idea. How about using gre. Pass the gre traffic
> >> through the pix.
> >>
> >> SK
> >>
> >> ______________________________________________________________________
> >> _ Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- John Matijevic, CCIE #13254 U.S. Installation Group Senior Network Engineer 954-969-7160 ext. 1147 (office) 305-321-6232 (cell)
This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:01:19 GMT-3