PIX OSPF Network

PIX OSPF Network
Configuring OSPF on your Security Appliance requires you to perform the following steps:
Step 1 Enable OSPF.
Step 2 Define the Security Appliance interfaces that need to run OSPF.
Step 3 Define OSPF areas.
Step 4 Configure LSA filtering to protect private addresses.
Using the configuration shown in Figure 11-2, the following commands configure OSPF
based on the scenario described:
pix515a(config)# router ospf 1
pix515a(config-router)# area 0 filter-list prefix ten in
pix515a(config-router)# network 192.168.0.0 255.255.0.0 area 0
pix515a(config-router)# network 172.16.1.0 255.255.255.0 area 172.16.1.0
pix515a(config-router)# network 10.10.10.0 255.255.255.0 area 10.10.10.0
pix515a(config-router)# prefix-list ten deny 10.10.10.0/24
pix515a(config)#
pix515a(config)# router ospf 1
pix515a(config-router)# prefix-list ten permit 172.16.1.0/24
pix515a(config)#
When configuring OSPF, you should also enable one of the following authentication
mechanisms:
■ Password
■ MD5 (message digest algorithm 5)
NOTE If you configure your Security Appliance as an ASBR, then you need to configure
multiple OSPF processes on the firewall if you want to perform address filtering.

Configuring OSPF

Configuring OSPF
Figure 11-2 shows a typical OSPF deployment configuration. In this configuration, a PIX
Firewall is operating as an ABR. Because you do not want the information about private
networks sent out on the public interface, LSA filtering is applied to the Internet interface.
NAT is applied only to the inside interface (for the private networks).
In this configuration, the inside interface learns routes from both the DMZ and the outside
interface, but you do not want private routes to be propagated to either the DMZ or the
public interfaces.

area Command Parameters

area Command Parameters
Parameter Description
area-id The identifier of the area on which filtering is being configured
filter-list Keyword indicating that you are configuring LSA filtering
prefix Keyword indicating that you are specifying a configured prefix list to use for
filtering
prefix-list-name The name of the prefix list that you created using the prefix-list command
in Keyword that applies the configured prefix to prefixes advertised inbound to the
specified area
out Keyword that applies the configured prefix to prefixes advertised outbound
from the specified area

prefix-list Command Parameters

prefix-list Command Parameters
Parameter Description
list-name The name of the prefix list.
seq Keyword indicating that you want to provide a sequence number.
seq-number Specifies the sequence number for the prefix list entry in the range from 1 to
4,294,967,295.
permit Keyword indicating that the specified prefix list should be allowed.
deny Keyword indicating that the specified prefix list should be disallowed.
prefix Prefix address that is being identified.
len A network mask indicator that identifies the number of valid bits in the prefix. (For
instance, to specify a Class C address, the len value is 24.)

After configuring a prefix list, you apply that prefix list to an area by using the area
command. Filtering can be applied to traffic going into or coming out of an OSPF area or to
both the incoming and outgoing traffic for an area. The syntax for the area command is as
follows:
area area-id filter-list prefix {prefix-list-name in | out}
The parameters for the area command are shown in Table 11-12.

network Command Parameters

network Command Parameters
Parameter Description
prefix-ip-address IP address of the network being configured.
netmask The network mask, which indicates the number of addresses covered by the
area (for example, a Class C network pertains to 256 different addresses and is
specified as 255.255.255.0).
area Keyword indicating that the area information will follow.
area-id The ID of the area to be associated with this OSPF address range

router ospf Subcommand Options

router ospf Subcommand Options
Parameter Description
area Configures OSPF areas
compatible Runs OSPF in RFC 1583 compatible mode
default-information Distributes a default route
distance Configures administrative distances for OSPF process
ignore Suppresses syslog for receipt of Type 6 (MOSPF) LSAs
log-adj-changes Logs OSPF adjacency changes

OSPF Commands

OSPF Commands
To configure OSPF on your Security Appliance, you use various commands. To enable OSPF
on your PIX Firewall, you use the router ospf command. The syntax is as follows:
router ospf pid
The pid represents a unique identification for the OSPF routing process in the range from 1
to 65,535. Each OSPF routing process on a single Security Appliance must be unique, and
Security Appliance Version 6.3 supports a maximum of two different OSPF routing
processes.
After you issue the router ospf command, the Security Appliance command prompt enters a
subcommand mode indicated by a command prompt similar to the following:
pix515a(config-router)#
In subcommand mode, you can configure various OSPF parameters (see Table 11-9).