Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

OSPF Routing and the PIX535

Posted on 2004-10-08
12
Medium Priority
?
522 Views
Last Modified: 2010-04-09
Isn't there a way to set up default routes for the outside and inside interfaces rather than having 800 routing entries in the firewall?  Can this be done by only making changes on the pix?

This is what I have:

routing interface outside
  ospf authentication null
routing interface inside
  ospf authentication null
route outside 0.0.0.0 0.0.0.0 150.113.8.193 5
route outside 10.0.0.0 255.0.0.0 150.113.8.193 1
route outside X.X.X.X 255.255.255.255 150.113.8.193 1
plus about 200 more routes that begin with route outside
0
Comment
Question by:sunnyd24
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
12 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 12262016
>route outside 0.0.0.0 0.0.0.0 150.113.8.193 5 <== the "5" should be replaced with "1"

This global default trumps all the rest and no others are necessary, but I'll bet the others were entered because the default didn't work because of the "5". This is a hop-count, not a cost metric on a PIX..

So, what's your question on OSPF here?

0
 

Author Comment

by:sunnyd24
ID: 12262366
I guess I didn't really have a question about OSPF.  I just don't understand PIX routing very well.  Is the hop count to the first router or the first switch?  Thanks for the quick reply!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12262456
The Hop count should always be 1, meaning that the next hop is on the same connected interface - only one hop away
Not the same physical interface, but on the same logical IP subnet/ VLAN whatever.. A traceroute to that IP shows it as only one L3 hop..
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 

Author Comment

by:sunnyd24
ID: 12262720
Our HP openview goes red when I take out all the other route outside entries.  They all have the same IP 150.113.8.193.  However we are still able to get out to the internet and the only path is through the firewall.  Any ideas?
0
 

Author Comment

by:sunnyd24
ID: 12262727
HP openview is just pinging the network devices beyond the firewall.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12262775
Did you change the metric on the default?

Do you have proxyarp disabled?

That just does not make sense if they are all pointing to the same upstream router...
0
 

Author Comment

by:sunnyd24
ID: 12262804
Yes I changed the 5 to a 1

as far as proxyarp these are the entries I have:
sysopt noproxyarp outside
sysopt noproxyarp inside

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12262838
Do you have any other firewalls in the mix?
Suggest enabling proxyarp on the inside interface (unless you have some "alias" commands)

   no sysopt noproxyarp inside
0
 

Author Comment

by:sunnyd24
ID: 12263040
There is only the 535 w/failover and there are no alias commands.

I haven't been able to find much on the proxyarp.  Is there any more to enabling Proxyarp than:

no sysopt noproxyarp inside

?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12263117
That's all there is to it..

If that's the only firewall you have, I would enable it on both interfaces. I think you'll be happier with the results.
0
 

Author Comment

by:sunnyd24
ID: 12263143
Great thanks for all your help!  That solved the problem.  
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12263151
Glad to help!
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question