From: Scott Morris (swm@emanon.com)
Date: Sun Aug 21 2005 - 22:18:14 GMT-3
ALWAYS ask yourself "why do I want this to happen?". Firewall design is
there for a reason. If you are using GRE, you're bypassing the usefullness
of a firewall anyway. You CAN do GRE, but be very aware of WHY you are
doing it and what you are trying to accomplish.
If your edge routers are outside your firewall, what possible value is it to
the inside routers to know about where to go?
If you want failover, run HSRP on your outside edge routers and let them
route between themselves. The inside routers have 0/0 to the PIX and the
PIX has 0/0 to the HSRP address. Problem solved.
Scott
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Brant I. Stevens
Sent: Sunday, August 21, 2005 6:47 PM
To: Scott Morris; 'Tony Schaffran'; 'Sayeed Kachroo'; cciein2006@yahoo.com;
ccielab@groupstudy.com
Subject: Re: Routing updates through a firewall
Scott,
The tracking number for the package is 8389328765r022-xxd. ;)
But seriously, this is something that has always nagged me in the back of my
mind... If, for example, I have Router A that is my Internet router,
connected on an Ethernet network to the outside interface of a PIX firewall,
and Router B on the inside, and an IGP adjacency over the GRE tunnel
through the firewall between Routers A and B, won't the only required rule
on the firewall be to permit GRE between Routers A&B?
Or have I spent too much time in the sun?
Thanks,
Brant.
On 8/21/05 2:46 PM, "Scott Morris" <swm@emanon.com> wrote:
> How about sending your firewall to me since you don't use it. :)
>
> Scott
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of Tony Schaffran
> Sent: Sunday, August 21, 2005 12:58 PM
> To: 'Brant I. Stevens'; 'Sayeed Kachroo'; cciein2006@yahoo.com;
> ccielab@groupstudy.com
> Subject: RE: Routing updates through a firewall
>
> How about a GRE tunnel through a VPN connection?
>
> Tony Schaffran
> Network Analyst
> CCIE #11071
> CCNP, CCNA, CCDA,
> NNCDS, NNCSS, CNE, MCSE
>
> www.cconlinelabs.com
> Your #1 choice for online Cisco rack rentals.
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of Brant I. Stevens
> Sent: Sunday, August 21, 2005 9:31 AM
> To: Sayeed Kachroo; cciein2006@yahoo.com; ccielab@groupstudy.com
> Subject: Re: Routing updates through a firewall
>
>
> Correct me if I'm wrong, but, doesn't using a GRE tunnel for such a
> purpose basically negate using a firewall once you permit the GRE tunnel
through it?
> You would have to add ACLs to the GRE tunnel to permit/deny traffic as
> desired, and if you weren't using a FW feature set, it would only give
> you packet filtering; not stateful inspection.
>
> BGP will give you the best path to a destination, but the specific
> traffic type must be permitted through the firewall.
>
> On 8/20/05 1:28 AM, "Sayeed Kachroo" <sayeedk@hotmail.com> wrote:
>
>> Well i think with redistribution you will lose bgp attribute , i dont
>> think that is a good idea. How about using gre. Pass the gre traffic
>> through the pix.
>>
>> SK
>>
>> _____________________________________________________________________
>> _ _ Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:01:19 GMT-3