Running OSPF across a PIX/ASA firewall: TTL details

Sharath Samanth has recently asked an interesting question:

I have seen the post on running OSPF across a PIX firewall. Since I did not have a PIX, I tested the solution by replacing PIX with a router.

I had configured the neighbor statements on both routers, but the OSPF was failing to come up. The debug indicated that the router emulating PIX was sending time exceeded ICMP to both OSPF-speaking routers.

The OSPF hello by default has a TTL of 1 which I think is an issue with this scenario. Is there anything special thats done on PIX to get OSPF working?

The answer is quite simple: PIX is not behaving like a router, but rather like a bridge with additional IP features (NAT and traffic filters). It does not decrement the TTL of a transit packet (which could lead to interesting loops if you badly mess up a redundant topology) … and I have to congratulate Sharath for an excellent diagnosis of the problem.

This article is part of You've asked for it series.

7 comments:

  1. In other words then, doing it with PIX in the middle instead of a router should work fine without the TTL issues?

    ReplyDelete
  2. Here is another example where it only works with the PIX/ASA but not with a router.

    Please refer to this URL from Cisco.

    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml

    If you replace one end of the PIX/ASA with a Cisco router and doing the same IPSec tunnel with the OSPF neighbor statement, your adjancy still won't come up because you will get an error on the router saying the remote peer was not on a common subnet.

    Cisco has done something in the ASA code to (I believe) waive the check on common subnet.

    ReplyDelete
  3. @vo: Yes, see the link in the quoted text within the post.

    ReplyDelete
  4. ASA5505 is (with the very basic feature set) very cheap device to play with. It's handy platform to test sophisticated setup like this OSPF one.

    ReplyDelete
  5. Ivan: ASA doesn't decrement TTL with default config. If you need this you may use a map in service policy where you can order it to do it.

    ReplyDelete
  6. RV; vr_vp@yahoo.com13 August, 2008 20:54

    I tried running OSPF between 2 routers across a firewall, by establshing a GRE tunnel and running OSPF through it. This takes care of the Hello packets (they have a TTL of 1) also.

    The only hitch is that the firewall must support the pass-through of GRE.

    I was also looking for a solution to run the OSPF across a fiewwall without using a GRE tunnel. One can configure the connected interfaces (with the firewall in between behaving like a router) not to broadcast (in our case multicast) OSPF. But then this stops the Hello packets also.

    Is there any way to sort of unicast the Hello packets across the Firewall? And to increase the TTL of Hello packets to more than 1? For me either might solve the issue to some extent.

    ReplyDelete
  7. As I wrote in the post - the trick works because PIX/ASA does not decrease TTL, so OSPF packets with TTL=1 pass through it.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.