Re: Deny OSPF neighbor relationship using access list

From: Roberto Correa (roberto_correa0@yahoo.com)
Date: Tue Jun 24 2008 - 15:33:46 ART

• Next message: Roberto Correa: "Re: VPN3K HTTP Access"
• Previous message: Roberto Correa: "Re: Deny OSPF neighbor relationship using access list"
• Maybe in reply to: ISolveSystems: "Deny OSPF neighbor relationship using access list"
• Next in thread: rafalkazmierczak@wp.pl: "RE: Deny OSPF neighbor relationship using access list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

It seems that you are working on L2 firewall, but info below applies to both.

Don't forget the other interface configuration, lets say it is the internal
interface with permit ospf or ip any any. When the router on that interface
starts the OSPF it may sucessfully establish neighborhood.

Don't forget that ASA is stateful and packets that are valid responses will be
allowed through the firewall even if explicitly denied. Lets say:

Inside interface has access-group permit ip any any
DMZ interface has access-groups deny ip any any

R1 on inside
R2 on DMZ

A. when R2 tries to start OSPF with preconfigured neighbor R1, it will fail!

B. when R1 tries to start OSPF with preconfigured neighbor R2 it will work!
    when R2 replied to OSPF session started by R1, it will still works!!!

If it is configured correctly, please be sure that your routers are not in the
same VLAN and ASA interface. In this case, ASA will not filter anything since
it is not "between" both routers.

One more thing: usually, if you are using L2 firewall ["mode transparent"] you
will be allowed only 2 interfaces, the "concept" of a DMZ may be not present
on a L2 firewall.

Roberto Correa

--- On Tue, 6/24/08, ISolveSystems <support@isolvesystems.com> wrote:
From: ISolveSystems <support@isolvesystems.com>
Subject: Re: Deny OSPF neighbor relationship using access list
To: "Tyson Scott" <tscott@ipexpert.com>
Cc: "Cisco certification" <ccielab@groupstudy.com>, "Cisco certification"
<security@groupstudy.com>
Date: Tuesday, June 24, 2008, 12:23 PM

I change it to .6. Same result.

On Tue, Jun 24, 2008 at 10:01 AM, Tyson Scott <tscott@ipexpert.com>
wrote:

> Well,
> You would want to do .5 and .6 not .4 and .5
>
> deny ospf host 1.1.1.1 host 1.1.1.2
> deny ospf host 1.1.1.1 host 224.0.0.5
> deny ospf host 1.1.1.1 host 224.0.0.6
>
> if that still doesn't work only add the network statement that you
> want OSPF running on and then redistribute the route for the
> interfaces you don't want it running on.
>
>
>
> On Tue, Jun 24, 2008 at 10:23 AM, ISolveSystems
> <support@isolvesystems.com> wrote:
> > Hello Expert,
> > I am trying to deny OSPF from forming relationship between ASAs. I
tried
> > the following without success. 1.1.1.1 is the neighbor IP address.
> > 1.1.1.2is the local interface IP.
> >
> > access-list DMZ-IN extended deny ospf host 1.1.1.1 host 1.1.1.2
> > access-list DMZ-IN extended deny ospf host 1.1.1.1 host 224.0.0.5
> > access-list DMZ-IN extended deny ospf host 1.1.1.1 host 224.0.0.4
> > access-list DMZ-IN extended deny ip host 1.1.1.1 host 224.0.0.5
> > access-list DMZ-IN extended deny ip host 1.1.1.1 host 224.0.0.4
> >
> > Any idea?
> >
> > Thanks.
> >
> >
> >

• Next message: Roberto Correa: "Re: VPN3K HTTP Access"
• Previous message: Roberto Correa: "Re: Deny OSPF neighbor relationship using access list"
• Maybe in reply to: ISolveSystems: "Deny OSPF neighbor relationship using access list"
• Next in thread: rafalkazmierczak@wp.pl: "RE: Deny OSPF neighbor relationship using access list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:23 ART