From: Marvin Greenlee (marvin@ipexpert.com)
Date: Wed Apr 11 2007 - 23:03:21 ART
You need to permit it on the inside as well. Non TCP/UDP traffic (like
EIGRP or OSPF) can be permitted with an access list.
Add an ACL to the inside interface with a permit IP any any or permit ospf
any any and see what happens.
Marvin Greenlee, CCIE #12237 (R&S, SP, Sec)
Senior Technical Instructor - IPexpert, Inc.
"When Will You Be an IP Expert?"
marvin@ipexpert.com
http://www.IPexpert.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of nem
chua
Sent: Wednesday, April 11, 2007 9:08 PM
To: anthony.sequeira@thomson.com
Cc: Cisco certification
Subject: Re: OSPF over ASA transparent mode
Hi, thank you everyone for responding to my email.
Anthony, now this is interesting, each interface must be in a seperate
vlan? So according to the drawing, I'm assuming each interface on the
external and internal 3750 has to be a seperate vlan???
In ASA transparent mode, I thought the entire network should be one vlan and
one subnet because the firewall is like a bridge between the 3750 outside
and inside, why would I want to use seperate vlan on each 3750 link?
Everything else I tried. The mtu are at the default 1500 bytes. I created
access list and applied it to the external interface to allow ip any to any,
still no go. From the debugs it looks like the inside switches sees the
hellos coming from the outside, and have those neighbors in INIT state.
However the external switch does not see any hello coming from the internal
switch.
Thanks much.
3750 external switch -----------vlan10----------------3750 external switch
| |
vlan 10 vlan
10
| |
ASA firewall--------------Failover--------------- ASA Firewall
| |
vlan 10 vlan
10
| |
3750 internal switch--------------vlan 10----------------3750 internal
switch
On 4/11/07, anthony.sequeira@thomson.com <anthony.sequeira@thomson.com>
wrote:
>
> Errr - I just realized I might have answered too quickly here and not
> read your original post closely enough....
>
> It sounds like you want OSPF traffic to pass THROUGH the Transparent
> Firewall. This should be permitted as long as your Extended ACL provides
> the appropriate permissions.
>
> So I would check your ACL carefully - and then check your guidelines on
> Transparent Firewalling:
>
> * Each directly connected network must be on the same subnet
> * A management IP address is required and must be on the same subnet
> * Each interface must be a different VLAN interface
>
> Anthony J. Sequeira
> #15626
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Sequeira, Anthony (NETg)
> Sent: Wednesday, April 11, 2007 5:35 PM
> To: nemthuduc@gmail.com; ccielab@groupstudy.com
> Subject: RE: OSPF over ASA transparent mode
>
> The following features are not supported in Transparent Mode:
>
> * DYNAMIC ROUTING PROTOCOLS
> * NAT
> * IPv6
> * DHCP Relay
> * QoS
> * Multicast
> * VPN Termination for Through Traffic
>
> Anthony J Sequeira
> #15626
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> nem chua
> Sent: Wednesday, April 11, 2007 4:55 PM
> To: Cisco certification
> Subject: OSPF over ASA transparent mode
>
> Hello,
>
> Anyone ran this before? When I had the asa firewall run ospf it works
> fine. I tried running asa firewall in transparent mode, access-list
> wide
> open for ip any any, and ospf any any. All traffic pass fine, but ospf
> will
> not form an adjacency and stuck in INIT state. If I plug the router on
> each
> end directly, bypassing the firewall it works fine. Any idea?
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:35 ART