sunnyd24
asked on
OSPF Routing and the PIX535
Isn't there a way to set up default routes for the outside and inside interfaces rather than having 800 routing entries in the firewall? Can this be done by only making changes on the pix?
This is what I have:
routing interface outside
ospf authentication null
routing interface inside
ospf authentication null
route outside 0.0.0.0 0.0.0.0 150.113.8.193 5
route outside 10.0.0.0 255.0.0.0 150.113.8.193 1
route outside X.X.X.X 255.255.255.255 150.113.8.193 1
plus about 200 more routes that begin with route outside
This is what I have:
routing interface outside
ospf authentication null
routing interface inside
ospf authentication null
route outside 0.0.0.0 0.0.0.0 150.113.8.193 5
route outside 10.0.0.0 255.0.0.0 150.113.8.193 1
route outside X.X.X.X 255.255.255.255 150.113.8.193 1
plus about 200 more routes that begin with route outside
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The Hop count should always be 1, meaning that the next hop is on the same connected interface - only one hop away
Not the same physical interface, but on the same logical IP subnet/ VLAN whatever.. A traceroute to that IP shows it as only one L3 hop..
Not the same physical interface, but on the same logical IP subnet/ VLAN whatever.. A traceroute to that IP shows it as only one L3 hop..
ASKER
Our HP openview goes red when I take out all the other route outside entries. They all have the same IP 150.113.8.193. However we are still able to get out to the internet and the only path is through the firewall. Any ideas?
ASKER
HP openview is just pinging the network devices beyond the firewall.
Did you change the metric on the default?
Do you have proxyarp disabled?
That just does not make sense if they are all pointing to the same upstream router...
Do you have proxyarp disabled?
That just does not make sense if they are all pointing to the same upstream router...
ASKER
Yes I changed the 5 to a 1
as far as proxyarp these are the entries I have:
sysopt noproxyarp outside
sysopt noproxyarp inside
as far as proxyarp these are the entries I have:
sysopt noproxyarp outside
sysopt noproxyarp inside
Do you have any other firewalls in the mix?
Suggest enabling proxyarp on the inside interface (unless you have some "alias" commands)
no sysopt noproxyarp inside
Suggest enabling proxyarp on the inside interface (unless you have some "alias" commands)
no sysopt noproxyarp inside
ASKER
There is only the 535 w/failover and there are no alias commands.
I haven't been able to find much on the proxyarp. Is there any more to enabling Proxyarp than:
no sysopt noproxyarp inside
?
I haven't been able to find much on the proxyarp. Is there any more to enabling Proxyarp than:
no sysopt noproxyarp inside
?
That's all there is to it..
If that's the only firewall you have, I would enable it on both interfaces. I think you'll be happier with the results.
If that's the only firewall you have, I would enable it on both interfaces. I think you'll be happier with the results.
ASKER
Great thanks for all your help! That solved the problem.
Glad to help!
ASKER