----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, February 01, 2002 11:34 AM Subject: bgp through a firewall
> Hi all, > > We are designing a redundant connection to an external network via different > locations. Both connections are protected with a firewall (PIX). > > It seems that the only way to make this setup work is to talk a routing > protocol (BGP) between our internal and our external router through the > firewall. Are you running iBGP to your external router(s) ? I take it your external routers face the internet, and your internal routers have been running some form of IGP (eigrp,ospf, is-is) ? Now you want to run BGP on the internal router because you have another possibly path? > Is this a safe solution, what are the issues when talking BGP through the > firewall, are there other options to achieve reduncancy? > > Any suggestions would be greatly appreciated! > > Regards, > > Inge Dortu Purely from a networking layer, you could permit tcp port 179 through the PIX to your internal router. Keep in mind that BGP peers are *usually* one hop away. This means that your security model will still be simple. Simply allow communication of BGP sessions between the external router (which you presumably trust) and your internal router. BGP has it's own security methods for authenticating neighbor establishments and routing updates. For protecting your network from incorrect (possibly accidental) routing configurations and routing information, you should always employ route filtering on your BGP process. Things like AS path filtering might come in handy. --truman _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
