Go CCIE Go!! - A Cisco Certified Internetwork Expert

How about an ACL on the switchport, or a vlan filter?

From: ISolveSystems [mailto:support@isolvesystems.com] Sent: Tuesday, June 24, 2008 5:26 PM To: Steve Rue Cc: rafalkazmierczak@wp.pl; Luan Nguyen; Tyson Scott; Cisco certification; Cisco certification Subject: Re: Deny OSPF neighbor relationship using access list

I thought about making the interface non-broadcast, but ASA only supports p2p non-broadcast. It can only have 1 neighbor..There are other neighbors that ASA is peering with…
On Tue, Jun 24, 2008 at 4:16 PM, Steve Rue wrote:
How about using the neighbor command to establish your OSPF relationships.
—–Original Message—– From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
rafalkazmierczak@wp.pl Sent: Tuesday, June 24, 2008 3:50 PM To: Luan Nguyen Cc: ‘Tyson Scott’; ‘ISolveSystems’; ‘Cisco certification’; ‘Cisco certification’
Subject: RE: Deny OSPF neighbor relationship using access list
Hi Luan/Tyson Is it not the case the access-lists on the PIX/ASA do not block traffic directed AT the interface but only going through the fw?
By the same token you can’t really block ISAKMP packets hitting the interface.
Rafal
> The problem is it doesn’t seem like you could deny ospf packet destination > for the pix itself using the ACL? > > > —–Original Message—– > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of > Tyson Scott > Sent: Tuesday, June 24, 2008 12:45 PM > To: ISolveSystems > Cc: Cisco certification; Cisco certification > Subject: Re: Deny OSPF neighbor relationship using access list > > OK, > As a recommendation in the future please provide more detail of the > setup. Your last statement is not covered at all in your original > question. > > Turn on authentication on the interface between the two you want to > form an adjacency. If this still is not an option for you please > provide more detail about your setup and why various methodologies > wont work for you. > > On Tue, Jun 24, 2008 at 11:56 AM, ISolveSystems > wrote: > > The second recommendation is not going to work because the two neighbors > are > > on the same interface. I want to deny one of them. > > > > On Tue, Jun 24, 2008 at 10:28 AM, Tyson Scott wrote: > >> > >> Then do my second recommendation > >> > >> On Tue, Jun 24, 2008 at 11:23 AM, ISolveSystems > >> wrote: > >> > I change it to .6. Same result. > >> > > >> > On Tue, Jun 24, 2008 at 10:01 AM, Tyson Scott > >> > wrote: > >> >> > >> >> Well, > >> >> You would want to do .5 and .6 not .4 and .5 > >> >> > >> >> deny ospf host 1.1.1.1 host 1.1.1.2 > >> >> deny ospf host 1.1.1.1 host 224.0.0.5 > >> >> deny ospf host 1.1.1.1 host 224.0.0.6 > >> >> > >> >> if that still doesn’t work only add the network statement that you > >> >> want OSPF running on and then redistribute the route for the > >> >> interfaces you don’t want it running on. > >> >> > >> >> > >> >> > >> >> On Tue, Jun 24, 2008 at 10:23 AM, ISolveSystems > >> >> wrote: > >> >> > Hello Expert, > >> >> > I am trying to deny OSPF from forming relationship between ASAs. I > >> >> > tried > >> >> > the following without success. 1.1.1.1 is the neighbor IP address. > >> >> > 1.1.1.2is the local interface IP. > >> >> > > >> >> > access-list DMZ-IN extended deny ospf host 1.1.1.1 host 1.1.1.2 > >> >> > access-list DMZ-IN extended deny ospf host 1.1.1.1 host 224.0.0.5 > >> >> > access-list DMZ-IN extended deny ospf host 1.1.1.1 host 224.0.0.4 > >> >> > access-list DMZ-IN extended deny ip host 1.1.1.1 host 224.0.0.5 > >> >> > access-list DMZ-IN extended deny ip host 1.1.1.1 host 224.0.0.4 > >> >> > > >> >> > Any idea? > >> >> > > >> >> > Thanks. > >> >> > > >> >> > > >> >> > > >> >> > >