User Guide for Cisco Security Manager 4.0.1
Configuring Routing Policies on Firewall Devices
Downloads: This chapterpdf (PDF - 398.0KB) The complete bookPDF (PDF - 24.15MB) | Feedback

Configuring Routing Policies on Firewall Devices

Table Of Contents

Configuring Routing Policies on Firewall Devices

Configuring No Proxy ARP

Configuring OSPF

About OSPF

General Tab

OSPF Advanced Dialog Box

Area Tab

Add/Edit Area/Area Networks Dialog Box

Range Tab

Add/Edit Area Range Network Dialog Box

Neighbors Tab

Add/Edit Static Neighbor Dialog Box

Redistribution Tab

Redistribution Dialog Box

Virtual Link Tab

Add/Edit OSPF Virtual Link Configuration Dialog Box

Add/Edit OSPF Virtual Link MD5 Configuration Dialog Box

Filtering Tab

Add/Edit Filtering Dialog Box

Summary Address Tab

Add/Edit Summary Address Dialog Box

Interface Tab

Add/Edit Interface Dialog Box

Configuring RIP

RIP Page for PIX/ASA 6.3-7.1 and FWSM

Add/Edit RIP Configuration (PIX/ASA 6.3-7.1 and FWSM) Dialog Boxes

RIP Page for PIX/ASA 7.2 and Later

RIP - Setup Tab

RIP - Redistribution Tab

RIP - Filtering Tab

RIP - Interface Tab

Configuring Static Routes

Add/Edit Static Route Dialog Box


Configuring Routing Policies on Firewall Devices


The Routing section in Security Manager contains pages for defining and managing routing settings for security appliances.

This chapter contains the following topics:

Configuring No Proxy ARP

Configuring OSPF

Configuring RIP

Configuring Static Routes

Configuring No Proxy ARP

When a host sends IP traffic to another device on the same Ethernet network, the host needs to know the MAC address of the device. Address Resolution Protocol (ARP) is a Layer 2 protocol that resolves an IP address to a MAC address: a host sends an ARP request asking "Who is this IP address?" The device owning the IP address replies, "I own that IP address; here is my MAC address."

With Proxy ARP, a device responds to an ARP request with its own MAC address, even though the device does not own the IP address. Serving as an ARP Proxy for another host effectively directs network traffic to the proxy, in this case your security appliance. Traffic that passes through the appliance is then routed to the appropriate destination.

For example, the security appliance uses proxy ARP when you configure NAT and specify a global address that is on the same network as the appliance interface. The only way traffic can reach the destination hosts is if the appliance claims and subsequently routes traffic to the destination global addresses.

By default, proxy ARP is enabled for all interfaces. Use the No Proxy ARP page to disable proxy ARP for global addresses:

To disable proxy ARP for one or more interfaces, enter their names in the Interfaces field. Separate multiple interfaces with commas. You can click Select to choose the interfaces from a list of interfaces defined on the device, and interface roles defined in Security Manager.

Navigation Path

(Device view) Select Platform > Routing > No Proxy ARP from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Routing > No Proxy ARP from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.

Related Topics

Configuring Static Routes

Configuring RIP

Configuring OSPF

Configuring OSPF

The OSPF page provides nine tabbed panels for configuring OSPF (Open Shortest Path First) routing on a firewall device. The following topics provide detailed information about enabling and configuring OSPF:

About OSPF

General Tab

Area Tab

Range Tab

Neighbors Tab

Redistribution Tab

Virtual Link Tab

Filtering Tab

Summary Address Tab

Interface Tab

Navigation Path

(Device view) Select Platform > Routing > OSPF from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Routing > OSPF from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.

About OSPF

Open Shortest Path First (OSPF) is an interior gateway routing protocol that uses link states rather than distance vectors for path selection. OSPF propagates link-state advertisements (LSAs) rather than routing table updates. Because only LSAs are exchanged, rather than entire routing tables, OSPF networks converge more quickly than RIP networks.

OSPF supports MD5 and clear-text neighbor authentication. Authentication should be used with all routing protocols whenever possible, because route redistribution between OSPF and other protocols (like RIP) can potentially be used by attackers to subvert routing information.

If NAT is used when OSPF is operating on public and private areas, and if address filtering is required, you need to run two OSPF processes—one process for the public areas and one for the private areas.

A router that has interfaces in multiple areas is called an Area Border Router (ABR). A router that acts as a gateway to redistribute traffic between routers using OSPF and routers using other routing protocols is called an Autonomous System Boundary Router (ASBR).

An ABR uses LSAs to send information about available routes to other OSPF routers. Using ABR type 3 LSA filtering, you can have separate private and public areas with the security appliance acting as an ABR. Type 3 LSAs (inter-area routes) can be filtered from one area to other. This lets you use NAT and OSPF together without advertising private networks.


Note Only type 3 LSAs can be filtered. If you configure the security appliance as an ASBR in a private network, it will send type 5 LSAs describing private networks, which will be broadcast to the entire autonomous system (AS) including public areas.


If NAT is employed but OSPF is only running in public areas, routes to public networks can be redistributed inside the private network, either as default or type 5 AS External LSAs. However, you need to configure static routes for the private networks protected by the security appliance. Also, you should not mix public and private networks on the same security appliance interface.

General Tab

Use the General panel on the OSPF page to enable up to two OSPF process instances. Each OSPF process has its own associated areas and networks.


Note You cannot enable OSPF if you have RIP enabled.


Navigation Path

You can access the General panel from the Configuring OSPF.

Related Topics

Configuring OSPF

Area Tab

Range Tab

Neighbors Tab

Redistribution Tab

Virtual Link Tab

Filtering Tab

Summary Address Tab

Interface Tab

Field Reference

Table 46-1 OSPF General Tab 

Element
Description

The General tab provides two identical sections; each is used to enable one OSPF process. The following options are available in each section.

Enable this OSPF Process

Check this box to enable an OSPF process. You cannot enable an OSPF process if you have RIP enabled on the security appliance. Deselect this option to remove the OSPF process.

OSPF Process ID

Enter a unique numeric identifier for the OSPF process. This process ID is used internally and does not need to match the OSPF process ID on any other OSPF devices. Valid values are from 1 to 65535.

Advanced button

Opens the OSPF Advanced Dialog Box, in which you can configure additional process-related parameters, such Router ID, Adjacency Changes, Administrative Route Distances, Timers, and Default Information Originate settings.


OSPF Advanced Dialog Box

Use the OSPF Advanced dialog box to configure settings such as the Router ID, Adjacency Changes, Administrative Route Distances, Timers, and Default Information Originate settings for an OSPF process.

Navigation Path

You can access the OSPF Advanced dialog box from the General Tab.

Related Topics

Configuring OSPF

General Tab

Field Reference

Table 46-2 OSPF Advanced Dialog Box 

Element
Description

OSPF Process

Displays the ID of the OSPF process you are configuring. You cannot change this value in this dialog box.

Router ID

To use a fixed router ID, enter a router ID in IP address format in the Router ID field. If you leave this value blank, the highest-level IP address on the security appliance is used as the router ID.

Ignore LSA MOSPF

Select this option to suppress transmission of syslog messages when the security appliance receives Type 6 (MOSPF) LSA packets.

RFC 1583 Compatible

Select this option to calculate summary route costs per RFC 1583. Deselect this option to calculate summary route costs per RFC 2328. To minimize the chance of routing loops, all OSPF devices in an OSPF routing domain should have RFC compatibility set identically. This option is selected by default.

Adjacency Changes

These options specify the syslog messages sent when adjacency changes occur.

Log Adjacency Changes - When selected, the security appliance sends a syslog message whenever an OSPF neighbor goes up or down. This option is selected by default.

Log Adjacency Changes Detail - When selected, the security appliance sends a syslog message whenever any state change occurs, not just when a neighbor goes up or down. This option is not selected by default.

Administrative Route Distances

Settings for the administrative route distances, according to the route type.

Inter Area - The administrative distance for all routes from one area to another. Valid values range from 1 to 255; the default value is 110.

Intra Area - The administrative distance for all routes within an area. Valid values range from 1 to 255; the default value is 110.

External - The administrative distance for all routes from other routing domains that are learned through redistribution. Valid values range from 1 to 255; the default value is 110.

Timers (in seconds)

Settings used to configure LSA pacing and SPF calculation timers.

SPF Delay - The time between receipt of a topology change and the start of shortest path first (SPF) calculations. Valid values range from 0 to 65535; the default value is 5 seconds.

SPF Hold - The hold time between consecutive SPF calculations. Valid values range from 1 to 65534; the default value is 10 seconds.

LSA Group Pacing - The interval at which LSAs are collected into a group and refreshed, checksummed, or aged. Valid values range from 10 to 1800; the default value is 240 seconds.

Default Information Originate

Settings used by an ASBR to generate a default external route into an OSPF routing domain.

Enable Default Information Originate - Check this box to enable generation of a default route into the OSPF routing domain; the following options become available:

Always advertise the default route - Check this box to always advertise the default route.

Metric Value - Enter the OSPF metric for the default route. Valid values range from 0 to 16777214; the default value is 1.

Metric Type - Choose the external link type associated with the default route advertised into the OSPF routing domain. The choices are 1 or 2, indicating a Type 1 or a Type 2 external route. The default value is 2.

Route Map - (Optional) The name of a route map to apply. The routing process generates the default route if the route map is satisfied.

Note This field contains only the Route Map name. The Route Map is created and contained within a FlexConfig; see Chapter 7, "Managing FlexConfigs" for more information.


Area Tab

Use the Area tab on the OSPF page to configure OSPF areas and networks.

Navigation Path

You can access the Area tab from the OSPF page. For more information about the OSPF page, see Configuring OSPF.

Related Topics

Add/Edit Area/Area Networks Dialog Box

Configuring OSPF

General Tab

Range Tab

Neighbors Tab

Redistribution Tab

Virtual Link Tab

Filtering Tab

Summary Address Tab

Interface Tab

Field Reference

Table 46-3 Area Tab 

Element
Description

OSPF Process

The OSPF process the area applies to.

Area ID

The area ID.

Area Type

The area type (Normal, Stub, or NSSA).

Networks

The area networks.

Options

The options, if any, set for the area type.

Authentication

The type of authentication set for the area (None, Password, or MD5).

Cost

The default cost for the area.


Add/Edit Area/Area Networks Dialog Box

Use the Add/Edit Area/Area Networks dialog box to define area parameters, the networks contained by the area, and the OSPF process associated with the area.

Navigation Path

You can access the Add/Edit Area/Area Networks dialog box from the Area tab. For more information about the Area tab, see Area Tab.

Related Topics

Configuring OSPF

General Tab

Area Tab

Range Tab

Neighbors Tab

Redistribution Tab

Virtual Link Tab

Filtering Tab

Summary Address Tab

Interface Tab

Field Reference

Table 46-4 Add/Edit Area/Area Networks Dialog Box 

Element
Description

OSPF Process

When adding a new area, choose the OSPF process ID for the OSPF process for which the area is being added. If there is only one OSPF process enabled on the security appliance, that process is selected by default. When editing an existing area, you cannot change the OSPF process ID.

Area ID

When adding a new area, enter the area ID. You can specify the area ID as either a decimal number or an IP address. Valid decimal values range from 0 to 4294967295. You cannot change the area ID when editing an existing area.

Area Type

Normal

Choose this option to make the area a standard OSPF area. This option is selected by default when you first create an area.

Stub

Choosing this option makes the area a stub area. Stub areas do not have any routers or areas beyond it. Stub areas prevent AS External LSAs (Type 5 LSAs) from being flooded into the stub area. When you create a stub area, you can prevent summary LSAs (Type 3 and 4) from being flooded into the area by deselecting the Summary check box.

Summary (allows sending LSAs into the stub area)

When the area being defined is a stub area, deselecting this check box prevents LSAs from being sent into the stub area. This check box is selected by default for stub areas.

NSSA

Choose this option to make the area a not-so-stubby area. NSSAs accept Type 7 LSAs. When you create a NSSA, you can prevent summary LSAs from being flooded into the area by deselecting the Summary check box. You can also disable route redistribution by deselecting the Redistribute check box and enabling Default Information Originate.

Redistribute (imports routes to normal and NSSA areas)

Deselect this check box to prevent routes from being imported into the NSSA. This check box is selected by default.

Summary (allows sending LSAs into the NSSA area)

When the area being defined is a NSSA, deselecting this check box prevents LSAs from being sent into the stub area. This check box is selected by default for NSSAs.

Default Information Originate (generate a Type 7 default)

Select this check box to generate a Type 7 default into the NSSA. This check box is deselected by default.

Metric Value

Specifies the OSPF metric value for the default route. Valid values range from 0 to 16777214. The default value is 1.

Metric Type

The OSPF metric type for the default route. The choices are 1 (Type 1) or 2 (Type 2). The default value is 2.

Network

The IP address and network mask of the network or host to be added to the area. Use 0.0.0.0 with a netmask of 0.0.0.0 to create the default area. You can only use 0.0.0.0 in one area.

Tip You can click Select to select the interfaces from a list of interface objects.

Authentication

Contains the settings for OSPF area authentication.

None—Choose this option to disable OSPF area authentication. This is the default setting.

Password—Choose this option to use a clear text password for area authentication. This option is not recommended where security is a concern.

MD5—Choose this option to use MD5 authentication.

Default Cost

Specify a default cost for the area. Valid values range from 0 to 65535. The default value is 1.


Range Tab

Use the Range tab to summarize routes between areas.

Navigation Path

You can access the Range tab from the OSPF page. For more information about the OSPF page, see Configuring OSPF.

Related Topics

Add/Edit Area Range Network Dialog Box

Configuring OSPF

General Tab

Area Tab

Neighbors Tab

Redistribution Tab

Virtual Link Tab

Filtering Tab

Summary Address Tab

Interface Tab

Field Reference

Table 46-5 Range Tab 

Element
Description

Process ID

The ID of the OSPF process associated with the route summary.

Area ID

The ID of the area associated with the route summary.

Network

The summary IP address and network mask.

Advertise

Displays "true" if the route summaries are advertised when they match the address/mask pair or "false" if the route summaries are suppressed when they match the address/mask pair.


Add/Edit Area Range Network Dialog Box

Use the Add/Edit Area Range Network dialog box to add a new entry to the Route Summarization table or to change an existing entry.

Navigation Path

You can access the Add/Edit Area Range Network dialog box from the Range tab. For more information about the Range tab, see Range Tab.

Related Topics

Configuring OSPF

General Tab

Area Tab

Range Tab

Neighbors Tab

Redistribution Tab

Virtual Link Tab

Filtering Tab

Summary Address Tab

Interface Tab

Field Reference

Table 46-6 Add/Edit Area Range Network Dialog Box 

Element
Description

OSPF Process

Select the OSPF process to which the route summary applies. You cannot change this value when editing an existing route summary entry.

Area

Select the area ID of the area to which the route summary applies. You cannot change this value when editing an existing route summary entry.

Network

The IP address and mask of the network for the routes being summarized.

Tip You can click Select to select the networks from a list of network objects.

Advertise

Select this check box to set the address range status to "advertise". This causes Type 3 summary LSAs to be generated. Deselect this check box to suppress the Type 3 summary LSA for the specified networks.


Neighbors Tab

Use the Neighbors tab to define static neighbors. You need to define a static neighbor for each point-to-point, non-broadcast interface. You also need to define a static route for each static neighbor in the Neighbors table.

Navigation Path

You can access the Neighbors tab from the OSPF page. For more information about the OSPF page, see Configuring OSPF.

Related Topics

Add/Edit Static Neighbor Dialog Box

Configuring OSPF

General Tab

Area Tab

Range Tab

Redistribution Tab

Virtual Link Tab

Filtering Tab

Summary Address Tab

Interface Tab

Field Reference

Table 46-7 Neighbors Tab 

Element
Description

OSPF Process

The OSPF process associated with the static neighbor.

Neighbor

The IP address of the static neighbor.

Interface

The interface associated with the static neighbor.


Add/Edit Static Neighbor Dialog Box

Use the Add/Edit Static Neighbor dialog box to define a static neighbor or change information for an existing static neighbor. You must define a static neighbor for each point-to-point, non-broadcast interface.

Navigation Path

You can access the Add/Edit Static Neighbor dialog box from the Neighbors tab. For more information about the Neighbors tab, see Neighbors Tab.

Related Topics

Configuring OSPF

General Tab

Area Tab

Range Tab

Neighbors Tab

Redistribution Tab

Virtual Link Tab

Filtering Tab

Summary Address Tab

Interface Tab

Field Reference

Table 46-8 Add/Edit Static Neighbor Dialog Box 

Element
Description

OSPF Process

The OSPF process associated with the static neighbor.

Neighbor

The IP address of the static neighbor.

Tip You can click Select to select the neighbor from a list of host objects.

Interface

The interface associated with the static neighbor.

Tip You can click Select to select the interface from a list of interface objects.

Redistribution Tab

Use the Redistribution tab to define the rules for redistributing routes from one routing domain to another.

Navigation Path

You can access the Redistribution tab from the OSPF page. For more information about the OSPF page, see Configuring OSPF.

Related Topics

Redistribution Dialog Box

Configuring OSPF

General Tab

Area Tab

Range Tab

Neighbors Tab

Virtual Link Tab

Filtering Tab

Summary Address Tab

Interface Tab

Field Reference

Table 46-9 Redistribution Tab 

Element
Description

OSPF Process

The OSPF process associated with the route redistribution entry.

Route Type

The source protocol the routes are being redistributed from. Valid entries are the following:

Static—The route is a static route.

Connected—The route was established automatically by virtue of having IP enabled on the interface.

OSPF—The route is an OSPF route from another process.

Match

The conditions used for redistributing routes from one routing protocol to another.

Subnets

Displays "true" if subnetted routes are redistributed. Does not display anything if only routes that are not subnetted are redistributed.

Metric Value

The metric that is used for the route. This column is blank for redistribution entries if the default metric is used.

Metric Type

Displays "1" if the metric is a Type 1 external route, "2" if the metric is Type 2 external route.

Tag Value

A 32-bit decimal value attached to each external route. This value is not used by OSPF itself. It may be used to communicate information between ASBRs. Valid values range from 0 to 4294967295.

Route Map

The name of the route map to apply to the redistribution entry.


Redistribution Dialog Box

Use the Redistribution dialog box to add a redistribution rule or to edit an existing redistribution rule in the Redistribution table.

Navigation Path

You can access the Redistribution dialog box from the Redistribution tab. For more information about the Redistribution tab, see Redistribution Tab.

Related Topics

Configuring OSPF

General Tab

Area Tab

Range Tab

Neighbors Tab

Redistribution Tab

Virtual Link Tab

Filtering Tab

Summary Address Tab

Interface Tab

Field Reference

Table 46-10 OSPF Redistribution Settings Dialog Box 

Element
Description

OSPF Process

Select the OSPF process associated with the route redistribution entry.

Route Type

Select the source protocol from which the routes are being redistributed. You can choose one of the following options:

Static—The route is a static route.

Connected—The route was established automatically by virtue of having IP enabled on the interface.

OSPF—The route is an OSPF route from another process.

Match

The conditions used for redistributing routes from one routing protocol to another. The routes must match the selected condition to be redistributed. You can choose one or more of the following match conditions:

Internal—The route is internal to a specific AS.

External 1—Routes that are external to the autonomous system, but are imported into OSPF as Type 1 external routes.

External 2—Routes that are external to the autonomous system, but are imported into OSPF as Type 2 external routes.

NSSA External 1—Routes that are external to the autonomous system, but are imported into OSPF as Type 2 NSSA routes.

NSSA External 2—Routes that are external to the autonomous system, but are imported into OSPF as Type 2 NSSA routes.

Metric Value

The metric value for the routes being redistributed. Valid values range from 1 to 16777214. When redistributing from one OSPF process to another OSPF process on the same device, the metric will be carried through from one process to the other if no metric value is specified. When redistributing other processes to an OSPF process, the default metric is 20 when no metric value is specified.

Metric Type

Select "1" if the metric is a Type 1 external route, "2" if the metric is a Type 2 external route.

Tag Value

The tag value is a 32-bit decimal value attached to each external route. This is not used by OSPF itself. It may be used to communicate information between ASBRs. Valid values range from 0 to 4294967295.

Use Subnets

When selected, redistribution of subnetted routes is enabled. Deselect this check box to cause only routes that are not subnetted to be redistributed.

Route Map

The name of the route map to apply to the redistribution entry.


Virtual Link Tab

Use the Virtual Link tab to create virtual links. If you add an area to an OSPF network, and it is not possible to connect the area directly to the backbone area, you need to create a virtual link. A virtual link connects two OSPF devices that have a common area, called the transit area. One of the OSPF devices must be connected to the backbone area.

Navigation Path

You can access the Virtual Link tab from the OSPF page. For more information about the OSPF page, see Configuring OSPF.

Related Topics

Add/Edit OSPF Virtual Link Configuration Dialog Box

Configuring OSPF

General Tab

Area Tab

Range Tab

Neighbors Tab

Redistribution Tab

Filtering Tab

Summary Address Tab

Interface Tab

Field Reference

Table 46-11 Virtual Link Tab 

Element
Description

OSPF Process

The OSPF process associated with the virtual link.

Area ID

The ID of the transit area.

Peer Router

The IP address of the virtual link neighbor.

Authentication

Displays the type of authentication used by the virtual link:

None—No authentication is used.

Password—Clear text password authentication is used.

MD5—MD5 authentication is used.


Add/Edit OSPF Virtual Link Configuration Dialog Box

Use the Add/Edit OSPF Virtual Link Configuration dialog box to define virtual links or change the properties of existing virtual links.

Navigation Path

You can access the Add/Edit OSPF Virtual Link Configuration dialog box from the Virtual Link tab. For more information about the Virtual Link tab, see Virtual Link Tab.

Related Topics

Add/Edit OSPF Virtual Link MD5 Configuration Dialog Box

Configuring OSPF

General Tab

Area Tab

Range Tab

Neighbors Tab

Redistribution Tab

Virtual Link Tab

Filtering Tab

Summary Address Tab

Interface Tab

Field Reference

Table 46-12 Add/Edit OSPF Virtual Link Configuration Dialog Box 

Element
Description

OSPF Process

Select the OSPF process associated with the virtual link.

Area ID

Select the area shared by the neighbor OSPF devices. The selected area cannot be an NSSA or a stub area.

Peer Router

Enter the IP address of the virtual link neighbor.

Hello Interval

The interval, in seconds, between hello packets sent on an interface. The smaller the hello interval, the faster topological changes are detected but the more traffic is sent on the interface. This value must be the same for all routers and access servers on a specific interface. Valid values range from 1 to 65535 seconds. The default value is 10 seconds.

Retransmit Interval

The time, in seconds, between LSA retransmissions for adjacencies belonging to the interface. When a router sends an LSA to its neighbor, it keeps the LSA until it receives the acknowledgement message. If the router receives no acknowledgement, it will resend the LSA. Be conservative when setting this value, or needless retransmission can result. The value should be larger for serial lines and virtual links. Valid values range from 1 to 65535 seconds. The default value is 5 seconds.

Transmit Delay

The estimated time, in seconds, required to send an LSA packet on the interface. LSAs in the update packet have their ages increased by the amount specified by this field before transmission. If the delay is not added before transmission over a link, the time in which the LSA propagates over the link is not considered. The value assigned should take into account the transmission and propagation delays for the interface. This setting has more significance on very low-speed links. Valid values range from 1 to 65535 seconds. The default value is 1 second.

Dead Interval

The interval, in seconds, in which no hello packets are received, causing neighbors to declare a router down. Valid values range from 1 to 65535. The default value of this field is four times the interval set by the Hello Interval field.

Authentication

Contains the OSPF authentication options.

None—Choose this option to disable OSPF authentication.

Password—Choose this option to use clear text password authentication. This is not recommended where security is a concern.

MD5—Choose this option to use MD5 authentication (recommended).

Authentication Password

Contains the settings for entering the password when password authentication is enabled.

Password—Enter a text string of up to 8 characters.

Confirm—Re-enter the password.

MD5 IDs and Keys

Contains the settings for entering the MD5 keys and parameters when MD5 authentication is enabled. All devices on the interface using OSPF authentication must use the same MD5 key and ID.

MD5 Key ID and MD5 Key Table

MD5 Key ID—A numerical key identifier. Valid values range from 1 to 255.

MD5 Key—An alphanumeric character string of up to 16 bytes.


Add/Edit OSPF Virtual Link MD5 Configuration Dialog Box

Use the Add/Edit OSPF Virtual Link MD5 Configuration dialog box to define MD5 keys for authentication of virtual links.

Navigation Path

You can access the Add/Edit OSPF Virtual Link MD5 Configuration dialog box from the Add/Edit OSPF Virtual Link Configuration dialog box. For more information about the Add/Edit OSPF Virtual Link Configuration dialog box, see Add/Edit OSPF Virtual Link Configuration Dialog Box.

Related Topics

Add/Edit OSPF Virtual Link Configuration Dialog Box

Virtual Link Tab

Configuring OSPF

Field Reference

Table 46-13 Add/Edit OSPF Virtual Link MD5 Configuration Dialog Box 

Element
Description

MD5 Key ID

A numerical key identifier. Valid values range from 1 to 255.

MD5 Key

An alphanumeric character string of up to 16 bytes.

Confirm

Re-enter the MD5 key.


Filtering Tab

Use the Filtering tab to configure the ABR Type 3 LSA filters for each OSPF process. ABR Type 3 LSA filters allow only specified prefixes to be sent from one area to another area and restricts all other prefixes. This type of area filtering can be applied out of a specific OSPF area, into a specific OSPF area, or into and out of the same OSPF areas at the same time.

Benefits

OSPF ABR Type 3 LSA filtering improves your control of route distribution between OSPF areas.

Restrictions

Only type-3 LSAs that originate from an ABR are filtered.

Navigation Path

You can access the Filtering tab from the OSPF page. For more information about the OSPF page, see Configuring OSPF.

Related Topics

Add/Edit Filtering Dialog Box

Configuring OSPF

General Tab

Area Tab

Range Tab

Neighbors Tab

Redistribution Tab

Virtual Link Tab

Summary Address Tab

Interface Tab

Field Reference

Table 46-14 Filtering Tab 

Element
Description

OSPF Process

The OSPF process associated with the filter entry.

Area ID

The ID of the area associated with the filter entry.

Filtered Network

The IP address and mask of the network being filtered.

Traffic Direction

Displays "Inbound" if the filter entry applies to LSAs coming in to an OSPF area or "Outbound" if it applies to LSAs going out of an OSPF area.

Sequence #

The sequence number for the filter entry. When multiple filters apply to an LSA, the filter with the lowest sequence number is used.

Action

Displays "Permit" if LSAs matching the filter are allowed or "Deny" if LSAs matching the filter are denied.

Lower Range

The minimum prefix length to be matched.

Upper Range

The maximum prefix length to be matched.


Add/Edit Filtering Dialog Box

Use the Add/Edit Filtering dialog box to add new filters to the Filter table or to modify an existing filter.

Navigation Path

You can access the Add/Edit Filtering dialog box from the Filtering tab. For more information about the Filtering tab, see Filtering Tab.

Related Topics

Configuring OSPF

General Tab

Area Tab

Range Tab

Neighbors Tab

Redistribution Tab

Virtual Link Tab

Filtering Tab

Summary Address Tab

Interface Tab

Field Reference

Table 46-15 Add/Edit Filtering Dialog Box 

Element
Description

OSPF Process

Select the OSPF process associated with the filter entry.

Area ID

Select the ID of the area associated with the filter entry.

Prefix List Name

 

Filtered Network

Enter the IP address and mask of the network being filtered.

Traffic Direction

Select the traffic direction to filter. Choose "Inbound" to filter LSAs coming into an OSPF area or "Outbound" to filter LSAs going out of an OSPF area.

Sequence Number

Enter a sequence number for the filter. Valid values range from 1 to 4294967294. When multiple filters apply to an LSA, the filter with the lowest sequence number is used.

Action

Select "Permit" to allow the LSA traffic or "Deny" to block the LSA traffic.

Lower Range

Specify the minimum prefix length to be matched. The value of this setting must be greater than the length of the network mask entered in the Filtered Network field and less than or equal to the value, if present, entered in the Upper Range field.

Upper Range

Enter the maximum prefix length to be matched. The value of this setting must be greater than or equal to the value, if present, entered in the Lower Range field, or, if the Lower Range field is left blank, greater than the length of the network mask length entered in the Filtered Network field.


Summary Address Tab

Use the Summary Address tab to configure summary addresses for each OSPF routing process.

Routes learned from other routing protocols can be summarized. The metric used to advertise the summary is the smallest metric of all the more specific routes. Summary routes help reduce the size of the routing table.

Using summary routes for OSPF causes an OSPF ASBR to advertise one external route as an aggregate for all redistributed routes that are covered by the address. Only routes from other routing protocols that are being redistributed into OSPF can be summarized.

Navigation Path

You can access the Summary Address tab from the OSPF page. For more information about the OSPF page, see Configuring OSPF.

Related Topics

Table 46-17

Configuring OSPF

General Tab

Area Tab

Range Tab

Neighbors Tab

Redistribution Tab

Virtual Link Tab

Filtering Tab

Interface Tab

Field Reference

Table 46-16 Summary Address Tab 

Element
Description

OSPF Process

The OSPF process associated with the summary address.

Network

The IP address and network mask of the summary address.

Tag

A 32-bit decimal value attached to each external route. This value is not used by OSPF itself. It may be used to communicate information between ASBRs.

Advertise

Displays "true" if the summary routes are advertised. Displays "false" if the summary route is not advertised.


Add/Edit Summary Address Dialog Box

Use the Add/Edit Summary Address dialog box to add new entries or to modify existing entries in the Summary Address table.

Navigation Path

You can access the Add/Edit Summary Address dialog box from the Summary Address tab. For more information about the Summary Address tab, see Summary Address Tab.

Related Topics

Configuring OSPF

General Tab

Area Tab

Range Tab

Neighbors Tab

Redistribution Tab

Virtual Link Tab

Filtering Tab

Summary Address Tab

Interface Tab

Field Reference

Table 46-17 Add/Edit Summary Address Dialog Box 

Element
Description

OSPF Process

Choose the OSPF process associated with the summary address. You cannot change this information when editing an existing entry.

Network

The IP address and network mask of the summary address.

Tag

The tag value is a 32-bit decimal value attached to each external route. This is not used by OSPF itself. It may be used to communicate information between ASBRs. Valid values range from 0 to 4294967295.

Advertise

When selected, summary routes are advertised. Deselect this check box to suppress routes that fall under the summary address. By default, this check box is selected.


Interface Tab

Use the Interface tab to configure interface-specific OSPF authentication routing properties.

Navigation Path

You can access the Interface tab from the OSPF page. For more information about the OSPF page, see Configuring OSPF.

Related Topics

Table 46-19

Configuring OSPF

General Tab

Area Tab

Range Tab

Neighbors Tab

Redistribution Tab

Virtual Link Tab

Filtering Tab

Summary Address Tab

Field Reference

Table 46-18 Interface Tab 

Element
Description

Interface

The name of the interface to which the configuration applies.

Authentication

The type of OSPF authentication enabled on the interface. The authentication type can be one of the following values:

None—OSPF authentication is disabled.

Password—Clear text password authentication is enabled.

MD5—MD5 authentication is enabled.

Area—The authentication type specified for the area is enabled on the interface. Area authentication is the default value for interfaces. However, area authentication is disabled by default. So, unless you previously specified an area authentication type, interfaces showing Area authentication have authentication disabled.

Point-to-Point

Displays "true" if the interface is set to non-broadcast (point-to-point). Displays "false" if the interface is set to broadcast.

Cost

The cost of sending a packet through the interface.

Priority

The OSPF priority assigned to the interface.

MTU Ignore

Displays "false" if MTU mismatch detection is enabled. Displays "true" if the MTU mismatch detection is disabled.

Database Filter

Displays "true" if outgoing LSAs are filtered during synchronization and flooding. Displays "false" if filtering is not enabled.

Hello Interval

The interval, in seconds, between hello packets sent on an interface. The smaller the hello interval, the faster topological changes are detected but the more traffic is sent on the interface. This value must be the same for all routers and access servers on a specific interface. Valid values range from 1 to 65535 seconds. The default value is 10 seconds.

Transmit Delay

The estimated time, in seconds, required to send an LSA packet on the interface. LSAs in the update packet have their ages increased by the amount specified by this field before transmission. If the delay is not added before transmission over a link, the time in which the LSA propagates over the link is not considered. The value assigned should take into account the transmission and propagation delays for the interface. This setting has more significance on very low-speed links. Valid values range from 1 to 65535 seconds. The default value is 1 second.

Retransmit Interval

The time, in seconds, between LSA retransmissions for adjacencies belonging to the interface. When a router sends an LSA to its neighbor, it keeps the LSA until it receives the acknowledgement message. If the router receives no acknowledgement, it resends the LSA. Be conservative when setting this value, or needless retransmission can result. The value should be larger for serial lines and virtual links. Valid values range from 1 to 65535 seconds. The default value is 5 seconds.

Dead Interval

The interval, in seconds, in which no hello packets are received, causing neighbors to declare a router down. Valid values range from 1 to 65535. The default value of this setting is four times the interval set by the Hello Interval field.


Add/Edit Interface Dialog Box

Use the Add/Edit Interface dialog box to add OSPF authentication routing properties for an interface or to change an existing entry.

Navigation Path

You can access the Add/Edit Interface dialog box from the Interface tab. For more information about the Interface tab, see Interface Tab.

Related Topics

Configuring OSPF

General Tab

Area Tab

Range Tab

Neighbors Tab

Redistribution Tab

Virtual Link Tab

Filtering Tab

Summary Address Tab

Interface Tab

Field Reference

Table 46-19 Add/Edit Interface Dialog Box 

Element
Description

Interface

The name of the interface to which the configuration applies.

Authentication

The type of OSPF authentication enabled on the interface. The authentication type can be one of the following values:

No Authentication—OSPF authentication is disabled.

Area Authentication—The authentication type specified for the area is enabled on the interface. Area authentication is the default value for interfaces. However, area authentication is disabled by default. So, unless you previously specified an area authentication type, interfaces showing Area authentication have authentication disabled.

Password Authentication—Clear text password authentication is enabled.

MD5 Authentication—MD5 authentication is enabled.

Authentication Password

Contains the settings for entering the password when password authentication is enabled.

Enter Password—Enter a text string of up to 8 characters.

Confirm—Re-enter the password.

MD5 Key IDs and Keys

Contains the settings for entering the MD5 keys and parameters when MD5 authentication is enabled. All devices on the interface using OSPF authentication must use the same MD5 key and ID.

Key ID—Enter a numerical key identifier. Valid values range from 1 to 255.

Key—An alphanumeric character string of up to 16 bytes.

Confirm—Re-enter the MD5 key.

Cost

The cost of sending a packet through the interface.

Priority

The OSPF priority assigned to the interface.

MTU Ignore

When selected, MTU mismatch detection is disabled. Deselect this check box to enable MTU mismatch detection.

Database Filter All Out

When selected, outgoing LSAs are filtered during synchronization and flooding. Deselect this check box to disable filtering.

Hello Interval (sec)

The interval, in seconds, between hello packets sent on an interface. The smaller the hello interval, the faster topological changes are detected but the more traffic is sent on the interface. This value must be the same for all routers and access servers on a specific interface. Valid values range from 1 to 65535 seconds. The default value is 10 seconds.

Transmit Delay (sec)

The estimated time, in seconds, required to send an LSA packet on the interface. LSAs in the update packet have their ages increased by the amount specified by this field before transmission. If the delay is not added before transmission over a link, the time in which the LSA propagates over the link is not considered. The value assigned should take into account the transmission and propagation delays for the interface. This setting has more significance on very low-speed links. Valid values range from 1 to 65535 seconds. The default value is 1 second.

Retransmit Interval (sec)

The time, in seconds, between LSA retransmissions for adjacencies belonging to the interface. When a router sends an LSA to its neighbor, it keeps the LSA until it receives the acknowledgement message. If the router receives no acknowledgement, it will resend the LSA. Be conservative when setting this value, or needless retransmission can result. The value should be larger for serial lines and virtual links. Valid values range from 1 to 65535 seconds. The default value is 5 seconds.

Dead Interval (sec)

The interval, in seconds, in which no hello packets are received, causing neighbors to declare a router down. Valid values range from 1 to 65535. The default value of this setting is four times the interval set by the Hello Interval field.

Point-to-Point

Displays "true" if the interface is set to non-broadcast (point-to-point). Displays "false" if the interface is set to broadcast.


Configuring RIP

Routing Information Protocol (RIP) is a dynamic routing protocol, or more precisely, an interior gateway protocol that is based on distance vectors. RIP uses hop count as the metric for path selection. When RIP is enabled on an interface, the interface exchanges RIP broadcast packets with neighboring devices to dynamically learn about and advertise routes. These RIP packets contain information about the destination networks that the gateways can reach, and the number of gateways that a packet must travel through to reach those destinations.

Cisco Security Manager supports both RIP version 1 and RIP version 2. Version 1 does not send the subnet mask with the routing update; RIP version 2 sends the subnet mask with the routing update, and supports variable-length subnet masks. Additionally, RIP version 2 supports neighbor authentication when routing updates are exchanged. This authentication ensures that the security appliance receives reliable routing information from a trusted source.


Note You cannot enable RIP if you have OSPF processes running.


Limitations

RIP has the following limitations:

Cisco Security Manager cannot pass RIP updates between interfaces.

RIP Version 1 does not support variable-length subnet masks.

RIP has a maximum hop count of 15. A route with a hop count greater than 15 is considered unreachable.

RIP convergence is relatively slow compared to other routing protocols.

RIP Version 2 Notes

The following information applies to RIP Version 2 only:

If using neighbor authentication, the authentication key and key ID must be the same on all neighbor devices that provide RIP version 2 updates to the interface.

With RIP version 2, the security appliance transmits and receives default route updates using the multicast address 224.0.0.9. In passive mode, it receives route updates at that address.

When RIP version 2 is configured on an interface, the multicast address 224.0.0.9 is registered on that interface. When a RIP version 2 configuration is removed from an interface, that multicast address is unregistered.

Using Security Manager to Configure RIP on Security Appliances

Use the RIP page to enable the Routing Information Protocol on an interface. The settings and features available when configuring RIP depend on the type of device and OS version that you are configuring:

To configure RIP on a PIX Firewall or ASA running an OS version earlier than 7.2, or on any FWSM, see RIP Page for PIX/ASA 6.3-7.1 and FWSM.

To configure RIP on a PIX Firewall or ASA running OS version 7.2 or later, see RIP Page for PIX/ASA 7.2 and Later.

Related Topics

Configuring Static Routes

Configuring OSPF

Configuring No Proxy ARP

Configuring Routing Information Protocol - a chapter from the "Cisco IOS IP Configuration Guide, Release 12.2," providing additional detailed information about RIP

RIP Page for PIX/ASA 6.3-7.1 and FWSM

Use this RIP page to enable the Routing Information Protocol (RIP) on an interface in any FWSM, or in a PIX/ASA running a pre-7.2 version operating system.

The RIP table on this page lists all interfaces on which RIP is currently defined. Use the Add RIP Configuration and Edit RIP Configuration dialog boxes to create and maintain these entries. See RIP Page for PIX/ASA 6.3-7.1 and FWSM for more information.

Navigation Path

(Device view) Select Platform > Routing > RIP from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Routing > RIP from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.

When creating a shared RIP policy, you must choose a Version in the Create a Policy dialog box, as follows:

PIX/ASA 6.3-7.1 and FWSM

PIX/ASA 7.2 and Later

When assigning a shared RIP policy, be sure to assign the appropriate RIP policy for the device. For example, you cannot assign a PIX/ASA 7.2+ RIP policy to an FWSM.

Related Topics

Configuring Static Routes

Configuring OSPF

Configuring No Proxy ARP

RIP Page for PIX/ASA 7.2 and Later

Standard rules table topics:

Using Rules Tables, page 12-7

Table Columns and Column Heading Features, page 1-34

Add/Edit RIP Configuration (PIX/ASA 6.3-7.1 and FWSM) Dialog Boxes

Use the Add RIP Configuration and Edit RIP Configuration dialog boxes to add a RIP configuration to the security appliance, or to make changes to an existing RIP configuration. By adding a RIP configuration, you enable RIP on the specified interface. Except for their titles, the two dialog boxes are identical.

Navigation Path

You can access the Add and Edit RIP Configuration dialog boxes from the RIP Page for PIX/ASA 6.3-7.1 and FWSM.

Field Reference

Table 46-20 Add/Edit RIP Configuration (PIX/ASA 6.3-7.1 and FWSM) Dialog Boxes 

Element
Description

Interface

Enter or Select the interface for the RIP configuration. You cannot configure two different RIP configurations on the same interface.

Mode

Select the interface behavior regarding RIP updates:

Send default routes - The interface will transmit RIP routing updates only.

Receive routes - The interface will listen for RIP routing broadcasts and use that information to populate its routing table, but it will not send RIP routing updates.

Send default routes and receive routes - The interface will send and receive RIP routing updates.

Version

Select the RIP version to enable on the interface:

RIP Version 1 - Enables RIP Version 1 on the interface.

RIP Version 2 - Enables RIP Version 2 on the interface. Configuring RIP Version 2 registers the multicast address 224.0.0.9 on the interface.

Version 2 Authentication

These options let you enable and select the type of authentication used with RIP Version 2.

Enable Authentication - This option is available when you select RIP Version 2 above. When this box is checked, RIP neighbor authentication is enabled and the following options become available:

Type - Select MD5 to use the MD5 hash algorithm for authentication (recommended), or select Clear text to use clear text for authentication.

Key ID - The identification number of the authentication key. This number must be shared with all other devices sending updates to and receiving updates from the security appliance. Valid values range from 1 to 255.

Key - The shared key used for authentication. This key must be shared with all other devices sending updates to and receiving updates from the security appliance. The key can be up to 16 characters.


RIP Page for PIX/ASA 7.2 and Later

Use this RIP page to enable and configure the Routing Information Protocol (RIP) on PIX and ASA devices running operating system 7.2 or later. The RIP page consists of these tabbed panels:

RIP - Setup Tab

RIP - Redistribution Tab

RIP - Filtering Tab

RIP - Interface Tab

Navigation Path

(Device view) Select Platform > Routing > RIP from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Routing > RIP from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.

When creating a shared RIP policy, you must choose a Version in the Create a Policy dialog box, as follows:

PIX/ASA 6.3-7.1 and FWSM

PIX/ASA 7.2 and Later

When assigning a shared RIP policy, be sure to assign the appropriate RIP policy for the device. For example, you cannot assign a PIX/ASA 7.2+ RIP policy to an FWSM.

Related Topics

Configuring Static Routes

Configuring OSPF

Configuring No Proxy ARP

RIP Page for PIX/ASA 6.3-7.1 and FWSM

RIP - Setup Tab

Use the Setup panel to define RIP on the security appliance, and to configure global RIP protocol parameters. You can only enable a single RIP process on the security appliance.

Navigation Path

You can access the Setup tab from the RIP Page for PIX/ASA 7.2 and Later.

Related Topics

RIP - Redistribution Tab

RIP - Filtering Tab

RIP - Interface Tab

Chapter 46 "Configuring Routing Policies on Firewall Devices"

Field Reference

Table 46-21 Setup Tab 

Element
Description

Networks

Define one or more networks for RIP routing. Enter IP address(es), or enter or Select the desired Network/Hosts objects (see Understanding Network/Host Objects, page 6-62); IP addresses must not contain any subnet information. There is no limit to the number of networks you can add to the security appliance configuration.

The RIP routing updates will be sent and received only through interfaces on the specified networks. Also, if the network of an interface is not specified, the interface will not be advertised in any RIP updates.

Passive Interface

Use this option to specify passive interfaces on the security appliance, and by extension the active interfaces. The device listens for RIP routing broadcasts on passive interfaces, using that information to populate its routing tables, but does not broadcast routing updates on passive interfaces. Interfaces that are not designated as passive, receive and send updates. Choose one of these options:

1. None - No interfaces are designated as passive.

2. All Interfaces - All interfaces on the device are designated as passive, except those entered the Excluded Interfaces field below.

3. Specified Interfaces - Only those interfaces explicitly specified in the Interfaces field below are designated as passive.

Interfaces/Excluded Interfaces

Use this field to specify the interfaces excluded from the passive list, or those explicitly designated as passive, depending on your choice from the Passive Interface list above:

If you chose All Interfaces, this field is labeled Excluded Interfaces: enter or Select only those interfaces to be excluded (that is, those that are to be active not passive).

If you chose Specified Interfaces in the Passive Interface list, enter or Select those interfaces that are to be designated as passive.

Note You cannot specify two different RIP configurations for the same interface.

RIP Version

Choose the RIP versions for sending and receiving RIP updates:

Receive Version 1 and 2, Send Version 1

Send and Receive Version 1

Send and Receive Version 2

Generate Default Route

When selected, a default route is generated for distribution, based on the Route Map you specify.

Route Map

Specify the route map to use for generating default routes.

Note This field contains only the Route Map name. The Route Map is created and contained within a FlexConfig; see Chapter 7, "Managing FlexConfigs" for more information.

Enable Auto-Summary

When Send and Receive Version 2 is the chosen RIP Version, this option is available. When checked, automatic route summarization is enabled. Disable automatic summarization if you must perform routing between disconnected subnets. When automatic summarization is disabled, subnets are advertised.

Note RIP Version 1 always uses automatic summarization—you cannot disable it.


RIP - Redistribution Tab

Use the Redistribution panel to manage redistribution routes. These are the routes that are being redistributed from other routing processes into the RIP routing process. See Add/Edit Redistribution Dialog Box for more information.

Navigation Path

You can access the Redistribution tab from the RIP Page for PIX/ASA 7.2 and Later.

Related Topics

RIP - Setup Tab

RIP - Filtering Tab

RIP - Interface Tab

Chapter 46 "Configuring Routing Policies on Firewall Devices"

Add/Edit Redistribution Dialog Box

Use the Add Redistribution and Edit Redistribution dialog boxes to add and edit redistribution routes on the RIP - Redistribution Tab. These are the routes that are being redistributed from other routing processes into the RIP routing process. Except for their titles, these two dialog boxes are identical.

Navigation Path

You can access the Add and Edit Redistribution dialog boxes from the Redistribution tab on the RIP Page for PIX/ASA 7.2 and Later.

Field Reference

Table 46-22 Add/Edit Redistribution Dialog Box 

Element
Description

Protocol to Redistribute

Choose the routing protocol to redistribute into the RIP routing process:

Static - Static routes.

Connected - Directly connected networks.

OSPF - Routes discovered by the OSPF routing process.

If you choose OSPF, you must also enter the OSPF Process ID and, optionally, Match criteria.

Process ID

Enter the process ID when the OSPF protocol is chosen.

Match

If you are redistributing OSPF routes into the RIP routing process, you can select specific types of OSPF routes to redistribute. Ctrl-click to select multiple types:

Internal - Routes internal to the autonomous system (AS) are redistributed.

External 1 - Type 1 routes external to the AS are redistributed.

External 2 - Type 2 routes external to the AS are redistributed.

NSSA External 1 - Type 1 routes external to a not-so-stubby area (NSSA) are redistributed.

NSSA External 2 - Type 2 routes external to an NSSA are redistributed.

Match criteria are optional. The default is match Internal, External 1, and External 2.

Metric

The RIP metric type to apply to the redistributed routes. The two choices are:

Transparent - Use the current route metric.

Specified Value - Assign a specific metric value.

Metric Value

The metric value to be assigned; enter a value from 0 to 16.

Route Map

The name of a route map that must be satisfied before the route can be redistributed into the RIP routing process.

Note This field contains only the route Map name. The contents of the route map are created and contained within a FlexConfig. See Chapter 7, "Managing FlexConfigs" for more information.


RIP - Filtering Tab

Use the Filtering panel to manage filters for the RIP policy. Filters are used to limit network information in incoming and outgoing RIP advertisements. See Add/Edit Filter Dialog Box for more information.

Navigation Path

You can access the Filtering tab from the RIP Page for PIX/ASA 7.2 and Later.

Related Topics

RIP - Setup Tab

RIP - Redistribution Tab

RIP - Interface Tab

Chapter 46 "Configuring Routing Policies on Firewall Devices"

Add/Edit Filter Dialog Box

Use the Add Filter and Edit Filter dialog boxes to add and edit RIP filters on the RIP - Filtering Tab. Filters are used to limit network information in incoming and outgoing RIP advertisements. Except for their titles, these two dialog boxes are identical.

Navigation Path

You can access the Add and Edit Filter dialog boxes from the Filtering tab on the RIP Page for PIX/ASA 7.2 and Later.

Field Reference

Table 46-23 Add/Edit Filter Dialog Box 

Element
Description

Traffic Direction

Choose the type of traffic to be filtered: Inbound or Outbound.

Note If Traffic Direction is Inbound, you can define an Interface filter only.

Filter On

Specify whether the filter is based on an Interface or a Route.

If you select Interface, enter or Select the name of the interface on which routing updates are to be filtered.

If you select Route, choose the route type:

Static - Only static routes are filtered.

Connected - Only connected routes are filtered.

OSPF - Only OSPF routes discovered by the specified OSPF process are filtered. Enter the Process ID of the OSPF process to be filtered.

Filter ACLs

Enter or Select the name of one or more access control lists (ACLs) that define the networks to be allowed or removed from RIP route advertisements.


RIP - Interface Tab

Use the Interface panel to manage the interfaces configured to send and receive RIP broadcasts. See Add/Edit Interface Dialog Box for more information.

Navigation Path

You can access the Interface tab from the RIP Page for PIX/ASA 7.2 and Later.

Related Topics

RIP - Setup Tab

RIP - Redistribution Tab

RIP - Filtering Tab

Chapter 46 "Configuring Routing Policies on Firewall Devices"

Add/Edit Interface Dialog Box

Use the Add Interface and Edit Interface dialog boxes to add and edit RIP interface configurations on the RIP - Interface Tab. Except for their titles, these two dialog boxes are identical.

Navigation Path

You can access the Add and Edit Interface dialog boxes from the Interface tab on the RIP Page for PIX/ASA 7.2 and Later.

Field Reference

Table 46-24 Add/Edit Interface Dialog Box 

Element
Description

Interface

Enter or Select an interface defined on this appliance.

Send (Version)

These options let you override, for this interface, the global Send versions specified on the RIP - Setup Tab. Select the appropriate boxes to specify sending updates using RIP Version 1, Version 2, or both.

Receive (Version)

These options let you override the global Receive versions. Select the appropriate boxes to specify accepting updates using RIP Version 1 only, Version 2 only, or both.

Authentication type

Choose the authentication used on this interface for RIP broadcasts:

None - No authentication.

MD5 - Employ MD5.

Clear Text - Employ clear-text authentication.

If you choose MD5 or Clear Text, you must also provide the following authentication parameters:

Key ID - The ID of the authentication key. Valid values are from 0 to 255.

Key - The key used by the chosen authentication method. Can contain up to 16 characters.

Confirm - Enter the authentication key again, to confirm.


Configuring Static Routes

A static route is a specific path to a particular destination network that is manually defined on the current device. Static routes are used in a variety of situations, and can be a quick and effective way to route data from one network to another when there is no dynamic route to the destination, or when use of a dynamic routing protocol is not feasible.

All routes have a value or "metric" that represents its priority of use. (This metric is also referred to as "administrative distance.") When two or more routes to the same destination are available, devices use administrative distance to decide which route to use.

For static routes, the default metric value is one, which gives them precedence over routes from dynamic routing protocols. If you increase the metric to a value greater than that of a dynamic route, the static route operates as a back-up in the event that dynamic routing fails. For example, Open Shortest Path First (OSPF)-derived routes have a default administrative distance of 100. To configure a back-up static route that is overridden by an OSPF route, specify a metric value for the static route that is greater than 100. This is referred to as a "floating" static route.

There is a special kind of static route known as a default route, or a "zero-zero" route because all zeroes are used for both the destination address and subnet mask. The default static route serves as a catch-all gateway: if there are no matches for a particular destination in the device's routing table, the default route is used. The default route generally includes a next-hop IP address or local exit interface.

Use the Static Route page to maintain manually defined static routes. The Static Route table on this page lists all currently defined static routes, showing for each, the name of the interface or interface role for which the route is defined, the destination network(s), the next hop gateway, the route metric, whether the route is tunneled, and whether there is service-level agreement tracking for the route. For a detailed explanation of these fields, see Add/Edit Static Route Dialog Box.

Navigation Path

(Device view) Select Platform > Routing > Static Route from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Routing > Static Route from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.

Related Topics

Chapter 46 "Configuring Routing Policies on Firewall Devices"

Monitoring Service Level Agreements (SLAs) To Maintain Connectivity, page 42-7

Standard rules table topics:

Using Rules Tables, page 12-7

Table Columns and Column Heading Features, page 1-34

Add/Edit Static Route Dialog Box

The Add/Edit Static Route dialog box lets you add or edit a static route.

Navigation Path

You can access the Add/Edit Static Route dialog box from the Static Routes page. Click the Add Row button to add a new static route; select an existing static route and click the Edit Row button to edit that route.

Related Topics

Configuring Static Routes

Chapter 46 "Configuring Routing Policies on Firewall Devices"

Field Reference

Table 46-25 Add/Edit Static Route Dialog Box 

Element
Description

Interface

Enter or Select the interface to which this static route applies.

Network

Enter or Select the destination network(s). You can provide one or more IP address/netmask entries, one or more Networks/Hosts objects, or a combination of both; separate the entries with commas.

Use 0.0.0.0 to specify a default route. The 0.0.0.0 IP address can be abbreviated as 0.

Gateway

Enter or Select the gateway router which is the next hop for this route. You can provide an IP address, or a Networks/Hosts object.

Note If an IP address from one of the security appliance's interfaces is used as the Gateway IP address, the security appliance will resolve the designated IP address in the packet instead of resolving the Gateway IP address.

Metric

The Metric is a measurement of the "expense" of a route, based on the number of hops (hop count) to the network on which a specific host resides. Hop count is the number of networks that a network packet must traverse, including the destination network, before it reaches its final destination. Because the hop count includes the destination network, all directly connected networks have a metric of 1.

Enter the number of hops to the destination network. Valid values range from 1 to 255; the default value is 1.

The maximum number of equal-cost (equal-metric) routes that can be defined per interface is three. You cannot add a route with the same metric on different interfaces that are on the same network.

Tunneled

Select this option to make this a tunnel route; can be used only for a default route. You can configure only one default tunneled gateway per device. The Tunneled option is not supported in transparent mode. Available only on PIX/ASA 7.0+ devices.

Route Tracking

To monitor route availability, enter or Select name of an SLA (service level agreement) object that defines the monitoring policy. Available only on PIX/ASA 7.2+ devices.

For more information on route tracking, see Monitoring Service Level Agreements (SLAs) To Maintain Connectivity, page 42-7.