From: Farrukh Haroon (farrukhharoon@gmail.com)
Date: Thu Apr 12 2007 - 09:07:01 ART
Hello Gustavo
This is not true, the ASA does not 'participate' in Multicast while in
transparent mode, but it *does* let multicast traffic to pass through it as
long as the ACLs are properly configured
Regards
Farrukh
On 4/12/07, Gustavo Novais <gustavo.novais@novabase.pt> wrote:
>
> If, as Anthony said, ASA does not support multicast... how about using a
> NBMA
> or point to-multipoint non-broadcast ospf network type betwen your two
> routers? If the updates are sent as unicast... you might get there...
>
> HTH
>
> Gustavo Novais
>
> ________________________________
>
> De: nobody@groupstudy.com em nome de nem chua
> Enviada: qui 12-04-2007 4:57
> Para: Marvin Greenlee
> Cc: Cisco certification
> Assunto: Re: OSPF over ASA transparent mode
>
>
>
> Yep, I tried that to, but no go.
>
> I'll try to get that config and send it tomorrow.
>
> Thanks all.
>
>
> On 4/11/07, Marvin Greenlee <marvin@ipexpert.com> wrote:
> >
> > You need to permit it on the inside as well. Non TCP/UDP traffic (like
> > EIGRP or OSPF) can be permitted with an access list.
> >
> > Add an ACL to the inside interface with a permit IP any any or permit
> ospf
> > any any and see what happens.
> >
> > Marvin Greenlee, CCIE #12237 (R&S, SP, Sec)
> > Senior Technical Instructor - IPexpert, Inc.
> > "When Will You Be an IP Expert?"
> > marvin@ipexpert.com
> > http://www.IPexpert.com
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > nem
> > chua
> > Sent: Wednesday, April 11, 2007 9:08 PM
> > To: anthony.sequeira@thomson.com
> > Cc: Cisco certification
> > Subject: Re: OSPF over ASA transparent mode
> >
> > Hi, thank you everyone for responding to my email.
> >
> > Anthony, now this is interesting, each interface must be in a seperate
> > vlan? So according to the drawing, I'm assuming each interface on the
> > external and internal 3750 has to be a seperate vlan???
> >
> > In ASA transparent mode, I thought the entire network should be one vlan
> > and
> > one subnet because the firewall is like a bridge between the 3750
> outside
> > and inside, why would I want to use seperate vlan on each 3750 link?
> >
> > Everything else I tried. The mtu are at the default 1500 bytes. I
> > created
> > access list and applied it to the external interface to allow ip any to
> > any,
> > still no go. From the debugs it looks like the inside switches sees the
> > hellos coming from the outside, and have those neighbors in INIT state.
> > However the external switch does not see any hello coming from the
> > internal
> > switch.
> >
> > Thanks much.
> >
> >
> >
> > 3750 external switch -----------vlan10----------------3750 external
> > switch
> >
> | |
> > vlan 10 vlan
> > 10
> >
> | |
> > ASA firewall--------------Failover--------------- ASA Firewall
> >
> | |
> > vlan 10 vlan
> > 10
> >
> | |
> > 3750 internal switch--------------vlan 10----------------3750 internal
> > switch
> >
> >
> >
> > On 4/11/07, anthony.sequeira@thomson.com <anthony.sequeira@thomson.com>
> > wrote:
> > >
> > > Errr - I just realized I might have answered too quickly here and not
> > > read your original post closely enough....
> > >
> > > It sounds like you want OSPF traffic to pass THROUGH the Transparent
> > > Firewall. This should be permitted as long as your Extended ACL
> provides
> > > the appropriate permissions.
> > >
> > > So I would check your ACL carefully - and then check your guidelines
> on
> > > Transparent Firewalling:
> > >
> > > * Each directly connected network must be on the same subnet
> > > * A management IP address is required and must be on the same subnet
> > > * Each interface must be a different VLAN interface
> > >
> > > Anthony J. Sequeira
> > > #15626
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > > Sequeira, Anthony (NETg)
> > > Sent: Wednesday, April 11, 2007 5:35 PM
> > > To: nemthuduc@gmail.com; ccielab@groupstudy.com
> > > Subject: RE: OSPF over ASA transparent mode
> > >
> > > The following features are not supported in Transparent Mode:
> > >
> > > * DYNAMIC ROUTING PROTOCOLS
> > > * NAT
> > > * IPv6
> > > * DHCP Relay
> > > * QoS
> > > * Multicast
> > > * VPN Termination for Through Traffic
> > >
> > > Anthony J Sequeira
> > > #15626
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > > nem chua
> > > Sent: Wednesday, April 11, 2007 4:55 PM
> > > To: Cisco certification
> > > Subject: OSPF over ASA transparent mode
> > >
> > > Hello,
> > >
> > > Anyone ran this before? When I had the asa firewall run ospf it works
> > > fine. I tried running asa firewall in transparent mode, access-list
> > > wide
> > > open for ip any any, and ospf any any. All traffic pass fine, but
> ospf
> > > will
> > > not form an adjacency and stuck in INIT state. If I plug the router
> on
> > > each
> > > end directly, bypassing the firewall it works fine. Any idea?
> > >
> > >
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:35 ART