RE: OSPF over ASA transparent mode

From: Gustavo Novais (gustavo.novais@novabase.pt)
Date: Thu Apr 12 2007 - 10:35:13 ART

• Next message: Scott Morris: "RE: Got my number on 4th attempt!"
• Previous message: Alexei Monastyrnyi: "Re: CCIE#17737 PORRA!!!"
• Maybe in reply to: nem chua: "OSPF over ASA transparent mode"
• Next in thread: Gustavo Novais: "RE: OSPF over ASA transparent mode"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

Let me try to give another shot at it ;)

What do you see on syslog? What do you see when you apply an extended
ACE permitting and logging OSPF traffic on the bridge group?
What happens to the traffic?

As Farrukh said, does your bridge group have a management IP address?

If you are running ASDM, (and also through command line) you can try to
use the packet trace feature, "simulating" what would be the processing
of a packet from your router interface to 224.0.0.5 OR 224.0.0.6.

The well known multicast mac's 01005Exxxxxx are allowed by default (see
http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_co
nfiguration_guide_chapter09186a0080577c38.html#wp1220181), but you
should specifically permit them.

You have also an alternative (be cautious if you are in live
environment) to use the command capture in order to capture the traffic
flowing through the FWSM and going through the generic processor.
See
http://www.cisco.com/en/US/products/hw/switches/ps708/products_command_r
eference_chapter09186a008048cf4c.html#wp1839412

In worst case, try to SPAN the portchannel to the FWSM to a port and
sniff whats going on, correlating it with syslog...

Gustavo Novais

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Farrukh Haroon
Sent: quinta-feira, 12 de Abril de 2007 13:13
To: nem chua
Cc: Cisco certification
Subject: Re: OSPF over ASA transparent mode

Nem, are you using any other security features on you switch ports
connected
to the ASA?

Something like DHCP snooping etc.? This could sometimes cause problems,
so
disable any security feature (if present) and try.

Also don't forget to assign the management ip-address, it is important.

Regards

Farrukh

On 4/12/07, Farrukh Haroon <farrukhharoon@gmail.com> wrote:
>
> Hello Gustavo
>
> This is not true, the ASA does not 'participate' in Multicast while in
> transparent mode, but it *does* let multicast traffic to pass through
it as
> long as the ACLs are properly configured
>
> Regards
>
> Farrukh
>
> On 4/12/07, Gustavo Novais <gustavo.novais@novabase.pt> wrote:
> >
> > If, as Anthony said, ASA does not support multicast... how about
using a
> > NBMA
> > or point to-multipoint non-broadcast ospf network type betwen your
two
> > routers? If the updates are sent as unicast... you might get
there...
> >
> > HTH
> >
> > Gustavo Novais
> >
> > ________________________________
> >
> > De: nobody@groupstudy.com em nome de nem chua
> > Enviada: qui 12-04-2007 4:57
> > Para: Marvin Greenlee
> > Cc: Cisco certification
> > Assunto: Re: OSPF over ASA transparent mode
> >
> >
> >
> > Yep, I tried that to, but no go.
> >
> > I'll try to get that config and send it tomorrow.
> >
> > Thanks all.
> >
> >
> > On 4/11/07, Marvin Greenlee < marvin@ipexpert.com> wrote:
> > >
> > > You need to permit it on the inside as well. Non TCP/UDP traffic
> > (like
> > > EIGRP or OSPF) can be permitted with an access list.
> > >
> > > Add an ACL to the inside interface with a permit IP any any or
permit
> > ospf
> > > any any and see what happens.
> > >
> > > Marvin Greenlee, CCIE #12237 (R&S, SP, Sec)
> > > Senior Technical Instructor - IPexpert, Inc.
> > > "When Will You Be an IP Expert?"
> > > marvin@ipexpert.com
> > > http://www.IPexpert.com
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
Behalf
> > Of
> > > nem
> > > chua
> > > Sent: Wednesday, April 11, 2007 9:08 PM
> > > To: anthony.sequeira@thomson.com
> > > Cc: Cisco certification
> > > Subject: Re: OSPF over ASA transparent mode
> > >
> > > Hi, thank you everyone for responding to my email.
> > >
> > > Anthony, now this is interesting, each interface must be in a
seperate
> > > vlan? So according to the drawing, I'm assuming each interface on
the
> > > external and internal 3750 has to be a seperate vlan???
> > >
> > > In ASA transparent mode, I thought the entire network should be
one
> > vlan
> > > and
> > > one subnet because the firewall is like a bridge between the 3750
> > outside
> > > and inside, why would I want to use seperate vlan on each 3750
link?
> > >
> > > Everything else I tried. The mtu are at the default 1500 bytes.
I
> > > created
> > > access list and applied it to the external interface to allow ip
any
> > to
> > > any,
> > > still no go. From the debugs it looks like the inside switches
sees
> > the
> > > hellos coming from the outside, and have those neighbors in INIT
> > state.
> > > However the external switch does not see any hello coming from the
> > > internal
> > > switch.
> > >
> > > Thanks much.
> > >
> > >
> > >
> > > 3750 external switch -----------vlan10----------------3750
external
> > > switch
> > >
> > |
|
> > > vlan
> > 10 vlan
> > > 10
> > >
> > |
|
> > > ASA firewall--------------Failover--------------- ASA
Firewall
> > >
> > |
|
> > > vlan 10
vlan
> > > 10
> > >
> > |
|
> > > 3750 internal switch--------------vlan 10----------------3750
internal
> >
> > > switch
> > >
> > >
> > >
> > > On 4/11/07, anthony.sequeira@thomson.com
<anthony.sequeira@thomson.com>
> > > wrote:
> > > >
> > > > Errr - I just realized I might have answered too quickly here
and
> > not
> > > > read your original post closely enough....
> > > >
> > > > It sounds like you want OSPF traffic to pass THROUGH the
Transparent
> >
> > > > Firewall. This should be permitted as long as your Extended ACL
> > provides
> > > > the appropriate permissions.
> > > >
> > > > So I would check your ACL carefully - and then check your
guidelines
> > on
> > > > Transparent Firewalling:
> > > >
> > > > * Each directly connected network must be on the same subnet
> > > > * A management IP address is required and must be on the same
subnet
> > > > * Each interface must be a different VLAN interface
> > > >
> > > > Anthony J. Sequeira
> > > > #15626
> > > >
> > > > -----Original Message-----
> > > > From: nobody@groupstudy.com [mailto: nobody@groupstudy.com] On
> > Behalf Of
> > > > Sequeira, Anthony (NETg)
> > > > Sent: Wednesday, April 11, 2007 5:35 PM
> > > > To: nemthuduc@gmail.com; ccielab@groupstudy.com
> > > > Subject: RE: OSPF over ASA transparent mode
> > > >
> > > > The following features are not supported in Transparent Mode:
> > > >
> > > > * DYNAMIC ROUTING PROTOCOLS
> > > > * NAT
> > > > * IPv6
> > > > * DHCP Relay
> > > > * QoS
> > > > * Multicast
> > > > * VPN Termination for Through Traffic
> > > >
> > > > Anthony J Sequeira
> > > > #15626
> > > >
> > > > -----Original Message-----
> > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
Behalf
> > Of
> > > > nem chua
> > > > Sent: Wednesday, April 11, 2007 4:55 PM
> > > > To: Cisco certification
> > > > Subject: OSPF over ASA transparent mode
> > > >
> > > > Hello,
> > > >
> > > > Anyone ran this before? When I had the asa firewall run ospf it
> > works
> > > > fine. I tried running asa firewall in transparent mode,
access-list
> > > > wide
> > > > open for ip any any, and ospf any any. All traffic pass fine,
but
> > ospf
> > > > will
> > > > not form an adjacency and stuck in INIT state. If I plug the
router
> > on
> > > > each
> > > > end directly, bypassing the firewall it works fine. Any idea?
> > > >
> > > >
> >

• Next message: Scott Morris: "RE: Got my number on 4th attempt!"
• Previous message: Alexei Monastyrnyi: "Re: CCIE#17737 PORRA!!!"
• Maybe in reply to: nem chua: "OSPF over ASA transparent mode"
• Next in thread: Gustavo Novais: "RE: OSPF over ASA transparent mode"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:35 ART