Re: Deny OSPF neighbor relationship using access list

From: ISolveSystems (support@isolvesystems.com)
Date: Tue Jun 24 2008 - 18:26:08 ART

I thought about making the interface non-broadcast, but ASA only supports
p2p non-broadcast. It can only have 1 neighbor..There are other neighbors
that ASA is peering with...

On Tue, Jun 24, 2008 at 4:16 PM, Steve Rue <steve@ruehome.org> wrote:

> How about using the neighbor command to establish your OSPF
> relationships.
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> rafalkazmierczak@wp.pl
> Sent: Tuesday, June 24, 2008 3:50 PM
> To: Luan Nguyen
> Cc: 'Tyson Scott'; 'ISolveSystems'; 'Cisco certification'; 'Cisco
> certification'
> Subject: RE: Deny OSPF neighbor relationship using access list
>
> Hi Luan/Tyson
> Is it not the case the access-lists on the PIX/ASA do not block traffic
> directed AT the interface but only going through the fw?
>
> By the same token you can't really block ISAKMP packets hitting the
> interface.
>
> Rafal
>
>
> > The problem is it doesn't seem like you could deny ospf packet
> destination
> > for the pix itself using the ACL?
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > Tyson Scott
> > Sent: Tuesday, June 24, 2008 12:45 PM
> > To: ISolveSystems
> > Cc: Cisco certification; Cisco certification
> > Subject: Re: Deny OSPF neighbor relationship using access list
> >
> > OK,
> > As a recommendation in the future please provide more detail of the
> > setup. Your last statement is not covered at all in your original
> > question.
> >
> > Turn on authentication on the interface between the two you want to
> > form an adjacency. If this still is not an option for you please
> > provide more detail about your setup and why various methodologies
> > wont work for you.
> >
> > On Tue, Jun 24, 2008 at 11:56 AM, ISolveSystems
> > <support@isolvesystems.com> wrote:
> > > The second recommendation is not going to work because the two
> neighbors
> > are
> > > on the same interface. I want to deny one of them.
> > >
> > > On Tue, Jun 24, 2008 at 10:28 AM, Tyson Scott <tscott@ipexpert.com>
> wrote:
> > >>
> > >> Then do my second recommendation
> > >>
> > >> On Tue, Jun 24, 2008 at 11:23 AM, ISolveSystems
> > >> <support@isolvesystems.com> wrote:
> > >> > I change it to .6. Same result.
> > >> >
> > >> > On Tue, Jun 24, 2008 at 10:01 AM, Tyson Scott
> <tscott@ipexpert.com>
> > >> > wrote:
> > >> >>
> > >> >> Well,
> > >> >> You would want to do .5 and .6 not .4 and .5
> > >> >>
> > >> >> deny ospf host 1.1.1.1 host 1.1.1.2
> > >> >> deny ospf host 1.1.1.1 host 224.0.0.5
> > >> >> deny ospf host 1.1.1.1 host 224.0.0.6
> > >> >>
> > >> >> if that still doesn't work only add the network statement that
> you
> > >> >> want OSPF running on and then redistribute the route for the
> > >> >> interfaces you don't want it running on.
> > >> >>
> > >> >>
> > >> >>
> > >> >> On Tue, Jun 24, 2008 at 10:23 AM, ISolveSystems
> > >> >> <support@isolvesystems.com> wrote:
> > >> >> > Hello Expert,
> > >> >> > I am trying to deny OSPF from forming relationship between
> ASAs. I
> > >> >> > tried
> > >> >> > the following without success. 1.1.1.1 is the neighbor IP
> address.
> > >> >> > 1.1.1.2is the local interface IP.
> > >> >> >
> > >> >> > access-list DMZ-IN extended deny ospf host 1.1.1.1 host
> 1.1.1.2
> > >> >> > access-list DMZ-IN extended deny ospf host 1.1.1.1 host
> 224.0.0.5
> > >> >> > access-list DMZ-IN extended deny ospf host 1.1.1.1 host
> 224.0.0.4
> > >> >> > access-list DMZ-IN extended deny ip host 1.1.1.1 host
> 224.0.0.5
> > >> >> > access-list DMZ-IN extended deny ip host 1.1.1.1 host
> 224.0.0.4
> > >> >> >
> > >> >> > Any idea?
> > >> >> >
> > >> >> > Thanks.
> > >> >> >
> > >> >> >
> > >> >> >
> > >> >> >
> >
> _______________________________________________________________________
> > >> >> > Subscription information may be found at:
> > >> >> > http://www.groupstudy.com/list/CCIELab.html
> > >> >> >
> > >> >> >
> > >> >> >
> > >> >> >
> > >> >> >
> > >> >>
> > >> >>
> > >>
> > >>
> >
> >
> >
> > --
> > Tyson Scott - CCIE #13513 R&S and Security
> > Technical Instructor - IPexpert, Inc.
> >
> > Telephone: +1.810.326.1444
> > Fax: +1.810.454.0130
> > Mailto: tscott@ipexpert.com
>
> ----------------------------------------------------
> Uwalniamy 13 mln loginsw!
> W31cz sij do akcji - zagraj na stronie:
> http://klik.wp.pl/?adr=http%3A%2F%2Fpoczta.wp.pl%2Fgra.html%3Faction%3Dp
> oint&sid=398<http://klik.wp.pl/?adr=http%3A%2F%2Fpoczta.wp.pl%2Fgra.html%3Faction%3Dpoint&sid=398>

This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:23 ART