From: Steve Rue (steve@ruehome.org)
Date: Tue Jun 24 2008 - 18:16:30 ART
How about using the neighbor command to establish your OSPF
relationships.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
rafalkazmierczak@wp.pl
Sent: Tuesday, June 24, 2008 3:50 PM
To: Luan Nguyen
Cc: 'Tyson Scott'; 'ISolveSystems'; 'Cisco certification'; 'Cisco
certification'
Subject: RE: Deny OSPF neighbor relationship using access list
Hi Luan/Tyson
Is it not the case the access-lists on the PIX/ASA do not block traffic
directed AT the interface but only going through the fw?
By the same token you can't really block ISAKMP packets hitting the
interface.
Rafal
> The problem is it doesn't seem like you could deny ospf packet
destination
> for the pix itself using the ACL?
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Tyson Scott
> Sent: Tuesday, June 24, 2008 12:45 PM
> To: ISolveSystems
> Cc: Cisco certification; Cisco certification
> Subject: Re: Deny OSPF neighbor relationship using access list
>
> OK,
> As a recommendation in the future please provide more detail of the
> setup. Your last statement is not covered at all in your original
> question.
>
> Turn on authentication on the interface between the two you want to
> form an adjacency. If this still is not an option for you please
> provide more detail about your setup and why various methodologies
> wont work for you.
>
> On Tue, Jun 24, 2008 at 11:56 AM, ISolveSystems
> <support@isolvesystems.com> wrote:
> > The second recommendation is not going to work because the two
neighbors
> are
> > on the same interface. I want to deny one of them.
> >
> > On Tue, Jun 24, 2008 at 10:28 AM, Tyson Scott <tscott@ipexpert.com>
wrote:
> >>
> >> Then do my second recommendation
> >>
> >> On Tue, Jun 24, 2008 at 11:23 AM, ISolveSystems
> >> <support@isolvesystems.com> wrote:
> >> > I change it to .6. Same result.
> >> >
> >> > On Tue, Jun 24, 2008 at 10:01 AM, Tyson Scott
<tscott@ipexpert.com>
> >> > wrote:
> >> >>
> >> >> Well,
> >> >> You would want to do .5 and .6 not .4 and .5
> >> >>
> >> >> deny ospf host 1.1.1.1 host 1.1.1.2
> >> >> deny ospf host 1.1.1.1 host 224.0.0.5
> >> >> deny ospf host 1.1.1.1 host 224.0.0.6
> >> >>
> >> >> if that still doesn't work only add the network statement that
you
> >> >> want OSPF running on and then redistribute the route for the
> >> >> interfaces you don't want it running on.
> >> >>
> >> >>
> >> >>
> >> >> On Tue, Jun 24, 2008 at 10:23 AM, ISolveSystems
> >> >> <support@isolvesystems.com> wrote:
> >> >> > Hello Expert,
> >> >> > I am trying to deny OSPF from forming relationship between
ASAs. I
> >> >> > tried
> >> >> > the following without success. 1.1.1.1 is the neighbor IP
address.
> >> >> > 1.1.1.2is the local interface IP.
> >> >> >
> >> >> > access-list DMZ-IN extended deny ospf host 1.1.1.1 host
1.1.1.2
> >> >> > access-list DMZ-IN extended deny ospf host 1.1.1.1 host
224.0.0.5
> >> >> > access-list DMZ-IN extended deny ospf host 1.1.1.1 host
224.0.0.4
> >> >> > access-list DMZ-IN extended deny ip host 1.1.1.1 host
224.0.0.5
> >> >> > access-list DMZ-IN extended deny ip host 1.1.1.1 host
224.0.0.4
> >> >> >
> >> >> > Any idea?
> >> >> >
> >> >> > Thanks.
> >> >> >
> >> >> >
> >> >> >
> >> >> >
>
This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:23 ART