Perhaps I'm being pedantic, but I think of a firewall as a
multi-component system. The BGP should ideally be on its own router,
or, as a second choice, on the external choke that connects to the
DMZ. The proxy server/stateful inspection machine, etc., is connected
to the DMZ, and then connects to the inside choke.
Unless you have multiple points of attachment to the Internet,
presumably with multiple firewalls, what's the point of the BGP
entering the inside network at all?
>port 179, as someone else said. but if you are doing this through a
>firewall, you will also need a static NAT. you will also need an eBGP
>multihop configured for your eBGP neighbor, as will that neighbor to reach
>you ( eBGP assumes the neighbors are on the same segment )
>
>I've actually never tried this, believing this is a silly design, but
>intellectually speaking, there is no reason it should not work that I can
>see, if the above advice is followed.
>
>Chuck
>
>-----Original Message-----
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
>Circusnuts
>Sent: Monday, July 30, 2001 4:15 PM
>To: [EMAIL PROTECTED]
>Subject: BGP, TCP, & Firewalls [7:14286]
>
>
>I'm surveying a project I have been slated for @ work & I was wondering if
>the
>BGP guru's could help clear-up a question. If I were to run internal BGP &
>external BGP, am I forced to leave a TCP port open in the firewall ???
>
>I had not an answer when the customer asked me this :-P
>
>Thanks
>Phil
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=14306&t=14286
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
