Solved

OSPF Routing and the PIX535

Posted on 2004-10-08
12
507 Views
Last Modified: 2010-04-09
Isn't there a way to set up default routes for the outside and inside interfaces rather than having 800 routing entries in the firewall?  Can this be done by only making changes on the pix?

This is what I have:

routing interface outside
  ospf authentication null
routing interface inside
  ospf authentication null
route outside 0.0.0.0 0.0.0.0 150.113.8.193 5
route outside 10.0.0.0 255.0.0.0 150.113.8.193 1
route outside X.X.X.X 255.255.255.255 150.113.8.193 1
plus about 200 more routes that begin with route outside
0
Comment
Question by:sunnyd24
  • 6
  • 6
12 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility
>route outside 0.0.0.0 0.0.0.0 150.113.8.193 5 <== the "5" should be replaced with "1"

This global default trumps all the rest and no others are necessary, but I'll bet the others were entered because the default didn't work because of the "5". This is a hop-count, not a cost metric on a PIX..

So, what's your question on OSPF here?

0
 

Author Comment

by:sunnyd24
Comment Utility
I guess I didn't really have a question about OSPF.  I just don't understand PIX routing very well.  Is the hop count to the first router or the first switch?  Thanks for the quick reply!
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
The Hop count should always be 1, meaning that the next hop is on the same connected interface - only one hop away
Not the same physical interface, but on the same logical IP subnet/ VLAN whatever.. A traceroute to that IP shows it as only one L3 hop..
0
 

Author Comment

by:sunnyd24
Comment Utility
Our HP openview goes red when I take out all the other route outside entries.  They all have the same IP 150.113.8.193.  However we are still able to get out to the internet and the only path is through the firewall.  Any ideas?
0
 

Author Comment

by:sunnyd24
Comment Utility
HP openview is just pinging the network devices beyond the firewall.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Did you change the metric on the default?

Do you have proxyarp disabled?

That just does not make sense if they are all pointing to the same upstream router...
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:sunnyd24
Comment Utility
Yes I changed the 5 to a 1

as far as proxyarp these are the entries I have:
sysopt noproxyarp outside
sysopt noproxyarp inside

0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Do you have any other firewalls in the mix?
Suggest enabling proxyarp on the inside interface (unless you have some "alias" commands)

   no sysopt noproxyarp inside
0
 

Author Comment

by:sunnyd24
Comment Utility
There is only the 535 w/failover and there are no alias commands.

I haven't been able to find much on the proxyarp.  Is there any more to enabling Proxyarp than:

no sysopt noproxyarp inside

?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
That's all there is to it..

If that's the only firewall you have, I would enable it on both interfaces. I think you'll be happier with the results.
0
 

Author Comment

by:sunnyd24
Comment Utility
Great thanks for all your help!  That solved the problem.  
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Glad to help!
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now