ASA 5510 ospf config with pix 501

I need help understanding a problem with Spoof Detection on Firewall-1 4.0 that appears to be rendering it worthless.

On an internal network we have a Firewall-1 4.0 box that has 12 dmz interfaces attached to it, each of them Class C networks that do not overlap. I tried to put spoof detection into effect on the firewall as follows:

1) Edited the Firewall-1 network object

2) Selected each Interfaces tab and hit Edit button

3) For every interface except external, I specified valid addresses as "This Net"

4) For the external interface, I specified "Others"

As soon as I install that policy, I see packets that should be allowed through the firewall get an accept on the incoming interface, and then get a reject on rule 0 as soon as they are passed to the interface with the server they are trying to reach. I researched this online and got this explanation:

A "reject" on Rule 0 typically means that an outgoing packet (one that has been accepted by your security policy and routed by the OS) is violating your anti-spoof rules because the packet is being routed out the wrong interface. If your Network Address Translation is misconfigured, you will often have problems with Anti-Spoofing.

This already concerns me a lot, because it implies that Firewall-1 has no way to distinguish a packet that has already passed through its security rules and NAT, from a packet that is incoming on an interface.

Can someone please give me an example of a valid NAT configuration that would allow spoof detection to work correctly, without causing the packets to be rejected on rule 0 when they get to the destination interface?

Further confusing me here, packets that are not having destination IPs modified by NAT are not triggering spoof detection. I don't see how the spoof detection can trigger when the packet gets to the dmz interface after being changed by NAT, but not triggered when there is no NAT. In both cases if the packet's source is a different network, then the Source IP won't be the same as the Valid Addresses that correspond to the Firewall-1 "This Net" spoof detection setting.

Reply to
JFiliberto
Loading thread data ...

First the very minor interjection that the 7.X software runs on several PIX models, not just ASA

I don't know the answer to that question, but see below

PIX 501 do not support OSPF themselves -- they are unable to change their routings or crypto maps in response to OSPF. But if OSPF is unicast, they could transport it just like any other unicast traffic. (There is also some PIX support for multicast, but I never bothered to read that section.)

Reply to
Walter Roberson

all of this sounds good, to support ospf routing over vpn it is needed to manually specify ospf neighbors which will use unicast traffic instead of multicast to allow the proper routing info.

Thanks

Reply to
JFiliberto

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.