From: Feldman, Jim (Jim.Feldman@amex.com)
Date: Fri Oct 14 2005 - 15:39:00 GMT-3
Hey Brett,
Thanks again for your input and feedback. I appreciate it.
You mis-understood me.
I didn't mean to imply that I was running (or thinking of running RIP on the
PIX).
What I'm talking about is configuring the PIX to pass the RIP updates from 1
router to another.
ie
subnet 123 rtr1 --- PIX --- rtr2 subnet xyz
The idea here is that rtr1 will learn about subnet xyz from rtr2 and
rtr2 will learn about subnet 123 from rtr1. IOW, I want RIP to work from
rtr1's and rtr2's point of view as if the PIX didn't exist.
By doing this, I can avoid redist into BGP and out of BGP. (We're running
BGP for other reasons.)
TIA, Jim
-----Original Message-----
From: Brant I. Stevens [mailto:branto@branto.com]
Sent: Friday, October 14, 2005 2:25 PM
To: 'Feldman, Jim'; 'kevin gannon'
Cc: 'Ccie Lab (E-mail)'
Subject: RE: The PIX and RIP
IMO, using BGP for this is better because:
1. With a GRE tunnel, you lose the ability to filter traffic that goes
through the PIX via the tunnel,
2. BGP affords you better route filtering capability,
3. The PIX only passes a default route when running RIP, not individual
prefixes, IIRC.
Running OSPF on the PIX is another option. I've worked with it, and it
seems OK.
-----Original Message-----
From: Feldman, Jim [mailto:Jim.Feldman@amex.com]
Sent: Friday, October 14, 2005 2:15 PM
To: 'Brant I. Stevens'; 'kevin gannon'; Feldman, Jim
Cc: 'Ccie Lab (E-mail)'
Subject: RE: The PIX and RIP
Hi guys,
Thanks for thinking about this and getting back to me.
Kevin, I'm only 95% sure but I think that actually the TTL of RIP updates
to the mcast address is 2, not 1.
Brett, yes, there's a need for routes to be passed from 1 side of the PIX to
another (DMZ1 to inside).
If I use BGP which is a definate consideration, I'll need to redist rip into
BGP on the DMZ1 side and redist from bgp into rip on the inside of the PIX.
I think both methods would work but why do you say using the BGP method is
better?
TIA, Jim
-----Original Message-----
From: Brant I. Stevens [mailto:branto@branto.com]
Sent: Friday, October 14, 2005 1:59 PM
To: 'kevin gannon'; 'Feldman, Jim'
Cc: 'Ccie Lab (E-mail)'
Subject: RE: The PIX and RIP
Is the requirement for dynamic rouuting? If so, then BGP would be the best
solution for something like this, provided that the routers on the inside
and outside are capable of using it.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
kevin gannon
Sent: Friday, October 14, 2005 1:34 PM
To: Feldman, Jim
Cc: Ccie Lab (E-mail)
Subject: Re: The PIX and RIP
Unless the PIX is in transparent mode the RIP will not get accross the PIX
as the TTL of a RIP packet is 1.
GRE is an option but then it will not be possible to inspect the traffic
within the GRE as all traffic will go over the GRE.
Regards
Kevin
On 10/14/05, Feldman, Jim <Jim.Feldman@amex.com> wrote:
>
> Hi Guys,
>
> I want 2 routers to pass rip updates to each other across a PIX firewall.
> The Pix is configured to allow UDP port 520 traffic.
>
> I can think of 2 potential ways to do this:
>
> 1) Use the command, "no validate source-update" because the 2 routers
> are on 2 different subnets.
>
> 2) Set up a gre tunnel across the pix between the 2 routers.
>
>
> Am I correct that both ways will work?
>
> If so, is one way considered better?
>
> TIA, Jim
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> --
> This message has been scanned for viruses and dangerous content by
> MailScanner, and is believed to be clean.
This archive was generated by hypermail 2.1.4 : Sun Nov 06 2005 - 22:00:51 GMT-3