From: bkvalentine@gmail.com
Date: Tue Jun 24 2008 - 11:53:52 ART
I'm by no means a security expert. Try applying the ACL to the control plane. From what I understand, traffic to and from the asa can be filtered there. Traffic going through the asa goes can be filtered on the interfaces.
Maybe a better way to accomplish this... Try making the interfaces passive in ospf and specify your specific neighbors. This would stop the asa from flooding out the multicast hellos and have it send unicast instead. At least we can do that on a router. I would assume you can also do this on the asa.
Sent via BlackBerry from T-Mobile
-----Original Message-----
From: ISolveSystems <support@isolvesystems.com>
Date: Tue, 24 Jun 2008 09:23:40
To:"Cisco certification" <ccielab@groupstudy.com>, "Cisco certification" <security@groupstudy.com>
Subject: Deny OSPF neighbor relationship using access list
Hello Expert,
I am trying to deny OSPF from forming relationship between ASAs. I tried
the following without success. 1.1.1.1 is the neighbor IP address.
1.1.1.2is the local interface IP.
access-list DMZ-IN extended deny ospf host 1.1.1.1 host 1.1.1.2
access-list DMZ-IN extended deny ospf host 1.1.1.1 host 224.0.0.5
access-list DMZ-IN extended deny ospf host 1.1.1.1 host 224.0.0.4
access-list DMZ-IN extended deny ip host 1.1.1.1 host 224.0.0.5
access-list DMZ-IN extended deny ip host 1.1.1.1 host 224.0.0.4
Any idea?
Thanks.
This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:23 ART