From: nem chua (nemthuduc@gmail.com)
Date: Thu Apr 12 2007 - 10:25:26 ART
Nope, no dhcp snooping, just plain ports assigned to a vlan.
Here is the diagram
3750 external -----------vlan10-----------------3750 external
> | |
> vlan 10 vlan
> 10
> | |
> ASA firewall--------------Failover--------------- ASA Firewall
> | |
> vlan 44 vlan 44
> | |
> -----------------------3750 internal switch---------------------
Here is the config on an external 3750, an internal 3750, and the primary
asa firewall.
3750 external switch config:
interface Loopback0
ip address 172.16.249.28 255.255.255.255
interface Vlan10
ip address 172.16.249.6 255.255.255.240
no ip redirects
no ip proxy-arp
ip ospf priority 10
!
interface Vlan30
ip address 172.16.249.21 255.255.255.252
no ip redirects
no ip proxy-arp
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 082C424F590A1511
ip ospf dead-interval minimal hello-multiplier 4
ip ospf priority 10
!
router ospf 1
router-id 172.16.249.28
log-adjacency-changes
auto-cost reference-bandwidth 100000
timers throttle spf 10 100 5000
timers throttle lsa all 10 100 5000
timers lsa arrival 80
passive-interface default
no passive-interface Vlan10
no passive-interface Vlan30
network 172.16.249.0 0.0.0.255 area 0
3750 Internal switch config
interface Loopback0
ip address 172.16.249.25 255.255.255.255
interface Vlan44
ip address 172.16.249.7 255.255.255.240
!
router ospf 1
router-id 172.16.249.25
log-adjacency-changes
auto-cost reference-bandwidth 100000
timers throttle spf 10 100 5000
timers throttle lsa all 10 100 5000
timers lsa arrival 80
redistribute connected subnets
network 10.254.0.0 0.0.255.255 area 0
network 172.16.249.0 0.0.0.255 area 0
ASA firewall config:
access-list in extended permit ospf any any log
access-list in extended permit ip any any log
access-list in extended permit ip any host 224.0.0.2
access-list in extended permit ip any host 224.0.0.5
access-list in extended permit ip any host 224.0.0.6
access-list in extended permit ip 224.0.0.0 255.0.0.0 any
access-list in extended permit ip any 224.0.0.0 255.0.0.0
pager lines 24
logging enable
logging timestamp
logging console informational
logging buffered informational
logging asdm informational
mtu outside 1500
mtu inside 1500
ip address 172.16.249.1 255.255.255.240 standby 172.16.249.2
failover
failover lan unit secondary
failover lan interface failover GigabitEthernet1/3
failover key *****
failover link failover GigabitEthernet1/3
failover interface ip failover 192.168.254.248 255.255.255.0 standby
192.168.254.249
no asdm history enable
arp timeout 14400
access-group in in interface outside
access-group in out interface outside
access-group in in interface inside
access-group in out interface inside
route outside 0.0.0.0 0.0.0.0 c3750-xglobal-ab 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:6abc4761fa7f8c39417f7bf3e4773065
: end
On 4/12/07, Farrukh Haroon <farrukhharoon@gmail.com> wrote:
>
> Nem, are you using any other security features on you switch ports
> connected to the ASA?
>
> Something like DHCP snooping etc.? This could sometimes cause problems, so
> disable any security feature (if present) and try.
>
> Also don't forget to assign the management ip-address, it is important.
>
> Regards
>
> Farrukh
>
> On 4/12/07, Farrukh Haroon < farrukhharoon@gmail.com> wrote:
> >
> > Hello Gustavo
> >
> > This is not true, the ASA does not 'participate' in Multicast while in
> > transparent mode, but it *does* let multicast traffic to pass through it as
> > long as the ACLs are properly configured
> >
> > Regards
> >
> > Farrukh
> >
> > On 4/12/07, Gustavo Novais < gustavo.novais@novabase.pt> wrote:
> > >
> > > If, as Anthony said, ASA does not support multicast... how about using
> > > a NBMA
> > > or point to-multipoint non-broadcast ospf network type betwen your two
> > > routers? If the updates are sent as unicast... you might get there...
> > >
> > > HTH
> > >
> > > Gustavo Novais
> > >
> > > ________________________________
> > >
> > > De: nobody@groupstudy.com em nome de nem chua
> > > Enviada: qui 12-04-2007 4:57
> > > Para: Marvin Greenlee
> > > Cc: Cisco certification
> > > Assunto: Re: OSPF over ASA transparent mode
> > >
> > >
> > >
> > > Yep, I tried that to, but no go.
> > >
> > > I'll try to get that config and send it tomorrow.
> > >
> > > Thanks all.
> > >
> > >
> > > On 4/11/07, Marvin Greenlee < marvin@ipexpert.com> wrote:
> > > >
> > > > You need to permit it on the inside as well. Non TCP/UDP traffic
> > > (like
> > > > EIGRP or OSPF) can be permitted with an access list.
> > > >
> > > > Add an ACL to the inside interface with a permit IP any any or
> > > permit ospf
> > > > any any and see what happens.
> > > >
> > > > Marvin Greenlee, CCIE #12237 (R&S, SP, Sec)
> > > > Senior Technical Instructor - IPexpert, Inc.
> > > > "When Will You Be an IP Expert?"
> > > > marvin@ipexpert.com
> > > > http://www.IPexpert.com <http://www.ipexpert.com/>
> > > >
> > > > -----Original Message-----
> > > > From: nobody@groupstudy.com [mailto: nobody@groupstudy.com] On
> > > Behalf Of
> > > > nem
> > > > chua
> > > > Sent: Wednesday, April 11, 2007 9:08 PM
> > > > To: anthony.sequeira@thomson.com
> > > > Cc: Cisco certification
> > > > Subject: Re: OSPF over ASA transparent mode
> > > >
> > > > Hi, thank you everyone for responding to my email.
> > > >
> > > > Anthony, now this is interesting, each interface must be in a
> > > seperate
> > > > vlan? So according to the drawing, I'm assuming each interface on
> > > the
> > > > external and internal 3750 has to be a seperate vlan???
> > > >
> > > > In ASA transparent mode, I thought the entire network should be one
> > > vlan
> > > > and
> > > > one subnet because the firewall is like a bridge between the 3750
> > > outside
> > > > and inside, why would I want to use seperate vlan on each 3750 link?
> > >
> > > >
> > > > Everything else I tried. The mtu are at the default 1500 bytes. I
> > > > created
> > > > access list and applied it to the external interface to allow ip any
> > > to
> > > > any,
> > > > still no go. From the debugs it looks like the inside switches sees
> > > the
> > > > hellos coming from the outside, and have those neighbors in INIT
> > > state.
> > > > However the external switch does not see any hello coming from the
> > > > internal
> > > > switch.
> > > >
> > > > Thanks much.
> > > >
> > > >
> > > >
> > > > 3750 external switch -----------vlan10----------------3750 external
> > > > switch
> > > >
> > > | |
> > > > vlan
> > > 10 vlan
> > > > 10
> > > >
> > > | |
> > > > ASA firewall--------------Failover--------------- ASA
> > > Firewall
> > > >
> > > | |
> > > > vlan 10
> > > vlan
> > > > 10
> > > >
> > > | |
> > > > 3750 internal switch--------------vlan 10----------------3750
> > > internal
> > > > switch
> > > >
> > > >
> > > >
> > > > On 4/11/07, anthony.sequeira@thomson.com <anthony.sequeira@thomson.com>
> > > > wrote:
> > > > >
> > > > > Errr - I just realized I might have answered too quickly here and
> > > not
> > > > > read your original post closely enough....
> > > > >
> > > > > It sounds like you want OSPF traffic to pass THROUGH the
> > > Transparent
> > > > > Firewall. This should be permitted as long as your Extended ACL
> > > provides
> > > > > the appropriate permissions.
> > > > >
> > > > > So I would check your ACL carefully - and then check your
> > > guidelines on
> > > > > Transparent Firewalling:
> > > > >
> > > > > * Each directly connected network must be on the same subnet
> > > > > * A management IP address is required and must be on the same
> > > subnet
> > > > > * Each interface must be a different VLAN interface
> > > > >
> > > > > Anthony J. Sequeira
> > > > > #15626
> > > > >
> > > > > -----Original Message-----
> > > > > From: nobody@groupstudy.com [mailto: nobody@groupstudy.com] On
> > > Behalf Of
> > > > > Sequeira, Anthony (NETg)
> > > > > Sent: Wednesday, April 11, 2007 5:35 PM
> > > > > To: nemthuduc@gmail.com; ccielab@groupstudy.com
> > > > > Subject: RE: OSPF over ASA transparent mode
> > > > >
> > > > > The following features are not supported in Transparent Mode:
> > > > >
> > > > > * DYNAMIC ROUTING PROTOCOLS
> > > > > * NAT
> > > > > * IPv6
> > > > > * DHCP Relay
> > > > > * QoS
> > > > > * Multicast
> > > > > * VPN Termination for Through Traffic
> > > > >
> > > > > Anthony J Sequeira
> > > > > #15626
> > > > >
> > > > > -----Original Message-----
> > > > > From: nobody@groupstudy.com [mailto: nobody@groupstudy.com] On
> > > Behalf Of
> > > > > nem chua
> > > > > Sent: Wednesday, April 11, 2007 4:55 PM
> > > > > To: Cisco certification
> > > > > Subject: OSPF over ASA transparent mode
> > > > >
> > > > > Hello,
> > > > >
> > > > > Anyone ran this before? When I had the asa firewall run ospf it
> > > works
> > > > > fine. I tried running asa firewall in transparent mode,
> > > access-list
> > > > > wide
> > > > > open for ip any any, and ospf any any. All traffic pass fine, but
> > > ospf
> > > > > will
> > > > > not form an adjacency and stuck in INIT state. If I plug the
> > > router on
> > > > > each
> > > > > end directly, bypassing the firewall it works fine. Any idea?
> > > > >
> > > > >
> > > _______________________________________________________________________
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > >
> > > > >
> > > _______________________________________________________________________
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> > > _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > > _______________________________________________________________________
> > >
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > > _______________________________________________________________________
> > >
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:35 ART