Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  ospf on both sides of firewall

    Posted 03-23-2009 09:53

    Hi All

     

    I am new to juniper so if you can bear with me -

     

    I need to configure a firewall to be in ospf area 0

    on both sides - trusted and untrusted.

    But to pass throught the relevant protocol info

    while still performing the firewall function

     

    I have configured up our ISG1000  so that the

    trust and untrust zones are in the relevant vrs and

    the relevant vrs are both in the same OSPF area -0

    i have put in policy to allow ospf between both areas

    and in each direction.

    I have enabled ospf on the 2 interfaces.

    When i look on the Vr routing page i have a green O

    under DRP which seems to indicat that both vrs should

    have ospf working.

     

    However it doesnt seem to be allowing ospf to

    work from one side of the firewall to another.

    While the trust side is working with ospf to a cisco l3

    switch.

     

    Can you have both trust and untrust on the same

    ospf area ?

     Also - on the trust side the ospf is working to a cisco

    switch - i reset the router-id but the ISG is still seeing

    the old Router-id - how do i get it to see the new

    router-id ?

     

    Sorry if these are obvious but my juniper experience is

    nil .

     

    Steve



  • 2.  RE: ospf on both sides of firewall

    Posted 03-23-2009 11:08

    If its a lab environment, then I think pretty much you can reset the ospf instance and we should see the new router ID.

     

    For the vr issue, the trust and untrust are 2 separate routing instances. If you want to have the same routing table, I think you need to use the "export-to" command.

     

    EG:

    ssg20(trust-vr)-> set access-list 3 permit ip 0.0.0.0/0 5

    ssg20(trust-vr)-> set route-map name "test" permit 20

    ssg20(trust-vr/test-20)-> set match ip 3

    ssg20(trust-vr/test-20)-> exit

    ssg20(trust-vr)-> set export-to vr test route-map test protocol ospf         (where test the the other VR you want to export the routes to)



  • 3.  RE: ospf on both sides of firewall

    Posted 03-24-2009 02:53

    Thanks for the reply - would it be easier for me to

    put both trust and untrust into the same vr ?

     

    Then they would both be in the same routing instance

    and could talk to each other .

     

    Then if i did that the policy should do the job of letting the

    ospf through.

     

    All i need is to have both in the same area 0

     

    Steve



  • 4.  RE: ospf on both sides of firewall

    Posted 03-24-2009 03:06
    Sadly those commands dont appear to work on the ISG 1000


  • 5.  RE: ospf on both sides of firewall

    Posted 03-24-2009 03:56

    Sorry i am wrong they do - you just put vrouter (router name) in front of all commands and they work fine.



  • 6.  RE: ospf on both sides of firewall
    Best Answer

    Posted 03-24-2009 06:45

    Man Very Happy

     

    Well done - that did the trick once i had added the necessary screenos mods