Hi
I could really use a sanity check on this… I have two routers, R1 having 10.20.20.1 and R3 having 10.20.20.3. Both separated by a Transparent FTD. - Goal is to allow OSPF and EIGRP Adjacency through the firewall.
Per my understanding, the required firewall config to allow OSPF Adjacency through the firewall would be to permit Protocol 89 (OSPF) between 10.20.20.1 and 10.20.20.3 (And the other way around) AND permit Protocol 89 with a destination address of 224.0.0.5 and 224.0.0.6 for multicast Hello’s.
Same for EIGRP, permit Protocol 88 (EIGRP) between 10.20.20.1 and 10.20.20.3 AND allow Protocol 88 with a destination address of 224.0.0.10.
I created a Port Object and named it OSPF-T then choose “Other” for the protocol and in the dropdown found the built-in condition of “OSPFIGP” for Protocol 89. I then created two ACP Entries that would allow OSPF-T From 10.20.20.1 → 10.20.20.3 and the other way around.
To my suprise this actually worked, OSPF was brought up and remained stable even though i did not permit the Multicast addresses.
I figured it could have something to do with the Port object being used as it’s utilizing the built-in “OSPFIGP” condition for the port, so i changed the OSPF-T Port Object, and instead of using the built-in condition of “OSPFIGP” i choose “All” and in the Port field i wrote 89.
If i modify the object to not use the built-in object so that it looks like this, the OSPF adjacency no longer comes up which is expected as I’m yet to allow the multicast hello’s.
I did the same lab with EIGRP instead of OSPF with the exact same result. If i use the built in EIGRP “Object” for my custom Port Object and allow only EIGRP Between R1 → R2 and the other way around, EIGRP comes up and is stable even though i did not allow the 224.0.0.10 multicast address.
If i change the Port Object and choose “All” and then write 88 in the Protocol field, EIGRP comes up but will Flap which is as expected when the multicast address has not been permitted
Is there some sort of intelligent behavior in FTD that dynamically opens traffic destined to the multicast addresses if you use the built-in objects?
FYI i would love to provide some pictures but the forum apparently does not allow me to post more than 2 images or links…