Re: OSPF over ASA transparent mode

From: nem chua (nemthuduc@gmail.com)
Date: Thu Apr 12 2007 - 00:57:24 ART

• Next message: Bill Burns: "RE: actual BTUs vs. Cisco's listed BTUs"
• Previous message: mgls: "Re: Tokyo Lab Exam Center"
• Maybe in reply to: nem chua: "OSPF over ASA transparent mode"
• Next in thread: Gustavo Novais: "RE: OSPF over ASA transparent mode"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Yep, I tried that to, but no go.

I'll try to get that config and send it tomorrow.

Thanks all.

On 4/11/07, Marvin Greenlee <marvin@ipexpert.com> wrote:
>
> You need to permit it on the inside as well. Non TCP/UDP traffic (like
> EIGRP or OSPF) can be permitted with an access list.
>
> Add an ACL to the inside interface with a permit IP any any or permit ospf
> any any and see what happens.
>
> Marvin Greenlee, CCIE #12237 (R&S, SP, Sec)
> Senior Technical Instructor - IPexpert, Inc.
> "When Will You Be an IP Expert?"
> marvin@ipexpert.com
> http://www.IPexpert.com
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> nem
> chua
> Sent: Wednesday, April 11, 2007 9:08 PM
> To: anthony.sequeira@thomson.com
> Cc: Cisco certification
> Subject: Re: OSPF over ASA transparent mode
>
> Hi, thank you everyone for responding to my email.
>
> Anthony, now this is interesting, each interface must be in a seperate
> vlan? So according to the drawing, I'm assuming each interface on the
> external and internal 3750 has to be a seperate vlan???
>
> In ASA transparent mode, I thought the entire network should be one vlan
> and
> one subnet because the firewall is like a bridge between the 3750 outside
> and inside, why would I want to use seperate vlan on each 3750 link?
>
> Everything else I tried. The mtu are at the default 1500 bytes. I
> created
> access list and applied it to the external interface to allow ip any to
> any,
> still no go. From the debugs it looks like the inside switches sees the
> hellos coming from the outside, and have those neighbors in INIT state.
> However the external switch does not see any hello coming from the
> internal
> switch.
>
> Thanks much.
>
>
>
> 3750 external switch -----------vlan10----------------3750 external
> switch
> | |
> vlan 10 vlan
> 10
> | |
> ASA firewall--------------Failover--------------- ASA Firewall
> | |
> vlan 10 vlan
> 10
> | |
> 3750 internal switch--------------vlan 10----------------3750 internal
> switch
>
>
>
> On 4/11/07, anthony.sequeira@thomson.com <anthony.sequeira@thomson.com>
> wrote:
> >
> > Errr - I just realized I might have answered too quickly here and not
> > read your original post closely enough....
> >
> > It sounds like you want OSPF traffic to pass THROUGH the Transparent
> > Firewall. This should be permitted as long as your Extended ACL provides
> > the appropriate permissions.
> >
> > So I would check your ACL carefully - and then check your guidelines on
> > Transparent Firewalling:
> >
> > * Each directly connected network must be on the same subnet
> > * A management IP address is required and must be on the same subnet
> > * Each interface must be a different VLAN interface
> >
> > Anthony J. Sequeira
> > #15626
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Sequeira, Anthony (NETg)
> > Sent: Wednesday, April 11, 2007 5:35 PM
> > To: nemthuduc@gmail.com; ccielab@groupstudy.com
> > Subject: RE: OSPF over ASA transparent mode
> >
> > The following features are not supported in Transparent Mode:
> >
> > * DYNAMIC ROUTING PROTOCOLS
> > * NAT
> > * IPv6
> > * DHCP Relay
> > * QoS
> > * Multicast
> > * VPN Termination for Through Traffic
> >
> > Anthony J Sequeira
> > #15626
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > nem chua
> > Sent: Wednesday, April 11, 2007 4:55 PM
> > To: Cisco certification
> > Subject: OSPF over ASA transparent mode
> >
> > Hello,
> >
> > Anyone ran this before? When I had the asa firewall run ospf it works
> > fine. I tried running asa firewall in transparent mode, access-list
> > wide
> > open for ip any any, and ospf any any. All traffic pass fine, but ospf
> > will
> > not form an adjacency and stuck in INIT state. If I plug the router on
> > each
> > end directly, bypassing the firewall it works fine. Any idea?
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Bill Burns: "RE: actual BTUs vs. Cisco's listed BTUs"
• Previous message: mgls: "Re: Tokyo Lab Exam Center"
• Maybe in reply to: nem chua: "OSPF over ASA transparent mode"
• Next in thread: Gustavo Novais: "RE: OSPF over ASA transparent mode"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:35 ART