Re: Routing updates through a firewall

From: Brant I. Stevens (branto@branto.com)
Date: Sun Aug 21 2005 - 21:13:52 GMT-3

• Next message: Christopher M. Heffner: "RE: how to enable telnet on the outside interface for PIX"
• Previous message: john matijevic: "Re: how to enable telnet on the outside interface for PIX"
• Maybe in reply to: cciein2006@yahoo.com: "Routing updates through a firewall"
• Next in thread: Scott Morris: "RE: Routing updates through a firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This isn't an issue I'm having, I would just like to clarify my
understanding of the scenario I've described. As I see it, the only thing
the firewall would see is packets of Protocol 47; not HTTP(S), or anything
else, as the router would stuff any traffic into a GRE packet.

Am I missing something?

If it were a case where I needed to advertise a BGP route to the firewall,
and the full Internet routing table were in use, I'd use OSPF, or, a static
route with HSRP serving the next-hop address for the static.

-Brant

On 8/21/05 7:39 PM, "john matijevic" <john.matijevic@gmail.com> wrote:

> Hello Brant,
> What is the issue that you are having? Why do you need to advertise the bgp
> route to your pix firewalls? What are you trying to accomplish here by
> sending bgp (external) routes to your pix firewalls to the internal network?
> You can just point static routes on your pix to go to the outside. Please
> post your config and respond offline if you would like to discuss further.
> Sincerely,
> John
>
> On 8/21/05, Brant I. Stevens <branto@branto.com> wrote:
>>
>> Scott,
>>
>> The tracking number for the package is 8389328765r022-xxd. ;)
>>
>> But seriously, this is something that has always nagged me in the back of
>> my
>> mind... If, for example, I have Router A that is my Internet router,
>> connected on an Ethernet network to the outside interface of a PIX
>> firewall,
>> and Router B on the inside, and an IGP adjacency over the GRE tunnel
>> through the firewall between Routers A and B, won't the only required rule
>> on the firewall be to permit GRE between Routers A&B?
>>
>> Or have I spent too much time in the sun?
>>
>> Thanks,
>> Brant.
>>
>>
>> On 8/21/05 2:46 PM, "Scott Morris" <swm@emanon.com> wrote:
>>
>>> How about sending your firewall to me since you don't use it. :)
>>>
>>> Scott
>>>
>>> -----Original Message-----
>>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>> Tony
>>> Schaffran
>>> Sent: Sunday, August 21, 2005 12:58 PM
>>> To: 'Brant I. Stevens'; 'Sayeed Kachroo'; cciein2006@yahoo.com;
>>> ccielab@groupstudy.com
>>> Subject: RE: Routing updates through a firewall
>>>
>>> How about a GRE tunnel through a VPN connection?
>>>
>>> Tony Schaffran
>>> Network Analyst
>>> CCIE #11071
>>> CCNP, CCNA, CCDA,
>>> NNCDS, NNCSS, CNE, MCSE
>>>
>>> www.cconlinelabs.com <http://www.cconlinelabs.com>
>>> Your #1 choice for online Cisco rack rentals.
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>>> Brant I. Stevens
>>> Sent: Sunday, August 21, 2005 9:31 AM
>>> To: Sayeed Kachroo; cciein2006@yahoo.com; ccielab@groupstudy.com
>>> Subject: Re: Routing updates through a firewall
>>>
>>>
>>> Correct me if I'm wrong, but, doesn't using a GRE tunnel for such a
>> purpose
>>> basically negate using a firewall once you permit the GRE tunnel through
>> it?
>>> You would have to add ACLs to the GRE tunnel to permit/deny traffic as
>>> desired, and if you weren't using a FW feature set, it would only give
>> you
>>> packet filtering; not stateful inspection.
>>>
>>> BGP will give you the best path to a destination, but the specific
>> traffic
>>> type must be permitted through the firewall.
>>>
>>> On 8/20/05 1:28 AM, "Sayeed Kachroo" <sayeedk@hotmail.com> wrote:
>>>
>>>> Well i think with redistribution you will lose bgp attribute , i dont
>>>> think that is a good idea. How about using gre. Pass the gre traffic
>>>> through the pix.
>>>>
>>>> SK
>>>>
>>>> ______________________________________________________________________
>>>> _ Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>
>
>
> --
> John Matijevic, CCIE #13254
> U.S. Installation Group
> Senior Network Engineer
> 954-969-7160 ext. 1147 (office)
> 305-321-6232 (cell)
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Christopher M. Heffner: "RE: how to enable telnet on the outside interface for PIX"
• Previous message: john matijevic: "Re: how to enable telnet on the outside interface for PIX"
• Maybe in reply to: cciein2006@yahoo.com: "Routing updates through a firewall"
• Next in thread: Scott Morris: "RE: Routing updates through a firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:01:19 GMT-3