Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

OSPF Routing and the PIX535

Posted on 2004-10-08
12
Medium Priority
?
527 Views
Last Modified: 2010-04-09
Isn't there a way to set up default routes for the outside and inside interfaces rather than having 800 routing entries in the firewall?  Can this be done by only making changes on the pix?

This is what I have:

routing interface outside
  ospf authentication null
routing interface inside
  ospf authentication null
route outside 0.0.0.0 0.0.0.0 150.113.8.193 5
route outside 10.0.0.0 255.0.0.0 150.113.8.193 1
route outside X.X.X.X 255.255.255.255 150.113.8.193 1
plus about 200 more routes that begin with route outside
0
Comment
Question by:sunnyd24
  • 6
  • 6
12 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 12262016
>route outside 0.0.0.0 0.0.0.0 150.113.8.193 5 <== the "5" should be replaced with "1"

This global default trumps all the rest and no others are necessary, but I'll bet the others were entered because the default didn't work because of the "5". This is a hop-count, not a cost metric on a PIX..

So, what's your question on OSPF here?

0
 

Author Comment

by:sunnyd24
ID: 12262366
I guess I didn't really have a question about OSPF.  I just don't understand PIX routing very well.  Is the hop count to the first router or the first switch?  Thanks for the quick reply!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12262456
The Hop count should always be 1, meaning that the next hop is on the same connected interface - only one hop away
Not the same physical interface, but on the same logical IP subnet/ VLAN whatever.. A traceroute to that IP shows it as only one L3 hop..
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 

Author Comment

by:sunnyd24
ID: 12262720
Our HP openview goes red when I take out all the other route outside entries.  They all have the same IP 150.113.8.193.  However we are still able to get out to the internet and the only path is through the firewall.  Any ideas?
0
 

Author Comment

by:sunnyd24
ID: 12262727
HP openview is just pinging the network devices beyond the firewall.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12262775
Did you change the metric on the default?

Do you have proxyarp disabled?

That just does not make sense if they are all pointing to the same upstream router...
0
 

Author Comment

by:sunnyd24
ID: 12262804
Yes I changed the 5 to a 1

as far as proxyarp these are the entries I have:
sysopt noproxyarp outside
sysopt noproxyarp inside

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12262838
Do you have any other firewalls in the mix?
Suggest enabling proxyarp on the inside interface (unless you have some "alias" commands)

   no sysopt noproxyarp inside
0
 

Author Comment

by:sunnyd24
ID: 12263040
There is only the 535 w/failover and there are no alias commands.

I haven't been able to find much on the proxyarp.  Is there any more to enabling Proxyarp than:

no sysopt noproxyarp inside

?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12263117
That's all there is to it..

If that's the only firewall you have, I would enable it on both interfaces. I think you'll be happier with the results.
0
 

Author Comment

by:sunnyd24
ID: 12263143
Great thanks for all your help!  That solved the problem.  
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12263151
Glad to help!
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Screencast - Getting to Know the Pipeline
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question