OSPF Routing and the PIX535

Isn't there a way to set up default routes for the outside and inside interfaces rather than having 800 routing entries in the firewall?  Can this be done by only making changes on the pix?

This is what I have:

routing interface outside
  ospf authentication null
routing interface inside
  ospf authentication null
route outside 0.0.0.0 0.0.0.0 150.113.8.193 5
route outside 10.0.0.0 255.0.0.0 150.113.8.193 1
route outside X.X.X.X 255.255.255.255 150.113.8.193 1
plus about 200 more routes that begin with route outside
sunnyd24Asked:
Who is Participating?
 
lrmooreCommented:
>route outside 0.0.0.0 0.0.0.0 150.113.8.193 5 <== the "5" should be replaced with "1"

This global default trumps all the rest and no others are necessary, but I'll bet the others were entered because the default didn't work because of the "5". This is a hop-count, not a cost metric on a PIX..

So, what's your question on OSPF here?

0
 
sunnyd24Author Commented:
I guess I didn't really have a question about OSPF.  I just don't understand PIX routing very well.  Is the hop count to the first router or the first switch?  Thanks for the quick reply!
0
 
lrmooreCommented:
The Hop count should always be 1, meaning that the next hop is on the same connected interface - only one hop away
Not the same physical interface, but on the same logical IP subnet/ VLAN whatever.. A traceroute to that IP shows it as only one L3 hop..
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
sunnyd24Author Commented:
Our HP openview goes red when I take out all the other route outside entries.  They all have the same IP 150.113.8.193.  However we are still able to get out to the internet and the only path is through the firewall.  Any ideas?
0
 
sunnyd24Author Commented:
HP openview is just pinging the network devices beyond the firewall.
0
 
lrmooreCommented:
Did you change the metric on the default?

Do you have proxyarp disabled?

That just does not make sense if they are all pointing to the same upstream router...
0
 
sunnyd24Author Commented:
Yes I changed the 5 to a 1

as far as proxyarp these are the entries I have:
sysopt noproxyarp outside
sysopt noproxyarp inside

0
 
lrmooreCommented:
Do you have any other firewalls in the mix?
Suggest enabling proxyarp on the inside interface (unless you have some "alias" commands)

   no sysopt noproxyarp inside
0
 
sunnyd24Author Commented:
There is only the 535 w/failover and there are no alias commands.

I haven't been able to find much on the proxyarp.  Is there any more to enabling Proxyarp than:

no sysopt noproxyarp inside

?
0
 
lrmooreCommented:
That's all there is to it..

If that's the only firewall you have, I would enable it on both interfaces. I think you'll be happier with the results.
0
 
sunnyd24Author Commented:
Great thanks for all your help!  That solved the problem.  
0
 
lrmooreCommented:
Glad to help!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.