.jpg "Opportunities, Appliacation, Openings"){kind=small}
.jpg "Hand Job, Blow Job, Job Search, Monster Job"){kind=small}
.jpg "pusat resume, daftar kerja, cari kerja"){kind=small}
.jpg "Project Manager, SOftware Engineer, SAP Consultant"){kind=small}
Deny OSPF neighbor relationship using access list
It seems that you are working on L2 firewall, but info below applies to both.
Don’t forget the other interface configuration, lets say it is the internal interface with permit ospf or ip any any. When the router on that interface starts the OSPF it may sucessfully establish neighborhood.
Don’t forget that ASA is stateful and packets that are valid responses will be allowed through the firewall even if explicitly denied. Lets say:
Inside interface has access-group permit ip any any DMZ interface has access-groups deny ip any any
R1 on inside R2 on DMZ
A. when R2 tries to start OSPF with preconfigured neighbor R1, it will fail!
B. when R1 tries to start OSPF with preconfigured neighbor R2 it will work! when R2 replied to OSPF session started by R1, it will still works!!!
If it is configured correctly, please be sure that your routers are not in the same VLAN and ASA interface. In this case, ASA will not filter anything since it is not “between” both routers.
One more thing: usually, if you are using L2 firewall [”mode transparent”] you will be allowed only 2 interfaces, the “concept” of a DMZ may be not present on a L2 firewall.
Roberto Correa
— On Tue, 6/24/08, ISolveSystems wrote: From: ISolveSystems Subject: Re: Deny OSPF neighbor relationship using access list To: “Tyson Scott” Cc: “Cisco certification” , “Cisco certification” Date: Tuesday, June 24, 2008, 12:23 PM
I change it to .6. Same result.
On Tue, Jun 24, 2008 at 10:01 AM, Tyson Scott wrote:
> Well, > You would want to do .5 and .6 not .4 and .5 > > deny ospf host 1.1.1.1 host 1.1.1.2 > deny ospf host 1.1.1.1 host 224.0.0.5 > deny ospf host 1.1.1.1 host 224.0.0.6 > > if that still doesn’t work only add the network statement that you > want OSPF running on and then redistribute the route for the > interfaces you don’t want it running on. > > > > On Tue, Jun 24, 2008 at 10:23 AM, ISolveSystems > wrote: > > Hello Expert, > > I am trying to deny OSPF from forming relationship between ASAs. I tried > > the following without success. 1.1.1.1 is the neighbor IP address. > > 1.1.1.2is the local interface IP. > > > > access-list DMZ-IN extended deny ospf host 1.1.1.1 host 1.1.1.2 > > access-list DMZ-IN extended deny ospf host 1.1.1.1 host 224.0.0.5 > > access-list DMZ-IN extended deny ospf host 1.1.1.1 host 224.0.0.4 > > access-list DMZ-IN extended deny ip host 1.1.1.1 host 224.0.0.5 > > access-list DMZ-IN extended deny ip host 1.1.1.1 host 224.0.0.4 > > > > Any idea? > > > > Thanks. > > > > > >
