Pat, Getting a PIX to pass OSPF would require one of two methods: Routing or NAT. First, the PIX isn't a router, and if it were it still wouldn't work since OSPF LSAs are sent to the non-routable 224.0.0.5/6 addresses (as well as have a TTL of 1). NAT is not a viable alternative as NAT will not change the payload of OSPF packets, a requirement as networks would appear differently on one side than on the other.
An alternative, although it probably introduces an unwanted security problem is to allow an IP-IP or GRE tunnel through the firewall. With OSPF packets encapsulated inside the tunnel NAT becomes a non-issue. Of course, if you implement this type of solution you could encrypt data sent through the tunnel which is better than nothing -- but I would not implement a solution like this for long-term use. - Tom In article , "Patrick Ramsey" wrote: > First thought is that this will not work. imagine this and tell me what > you think. > > In pix, your acl's are based on tcp/udp/icmp.... these all are > protocols, like ospf is it's own protocol... since ospf (protocol 89) is > separate, opening up a port dealing with tcp/udp/icmp would be > completely useless. > > -Patrick > >>>> "pat" 10/29/01 11:01PM >>> > Does anybody has any ideas on how to run OSPF across firewall. What > ports to be open & how to make router esablish nighbour relations across > firewall. > > Any thought on this will be greatly appriciated. > > Thanks, > patterson. > > __________________________________________________ Do You Yahoo!? Make a > great connection at Yahoo! Personals. http://personals.yahoo.com > misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34357&t=24608 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
