Re: OSPF over ASA transparent mode

From: nem chua (nemthuduc@gmail.com)
Date: Thu Apr 12 2007 - 12:38:01 ART

I think I'll try the upgrading software path. I talked to cisco and was
told the version 7.1.2 shouldn't be an issue with OSPF, but worth a try.

I also removed authentication, but no luck. I'll post to the group if the
upgrade works.

Thank you everyone for your response.

On 4/12/07, Farrukh Haroon <farrukhharoon@gmail.com> wrote:
>
> Dear Gustavo
>
> I think you are confusing something here, or I am :)
>
> Nem, has ASA(s) and not FWSM(s)
>
> Nem, I would suggest to try n test your setup with one firewall only,
> removing all fail over configuration and other extra things (if possible,
> assuming this is not a production environment)
>
> also the ASA software has loads of bugs in it, so try upgrading to 7.2(2)
> the latest public release (if possible)
>
> and last but not least, try OSPF without authentication.
>
> Regards
>
> Farrukh
>
> On 4/12/07, Gustavo Novais <gustavo.novais@novabase.pt> wrote:
> >
> > Hi again
> >
> > Where are your interfaces and bridge groups definitions?
> >
> > See
> > http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_co
> >
> > nfiguration_guide_chapter09186a0080602ff7.html#wp1047426 for an example
> >
> >
> > I'm curious regarding spanning-tree... what is its current state? Which
> > port is blocking? Is it the one leading to the standby firewall? On Vlan
> >
> > 10 side, or vlan 44?
> >
> >
> > Gustavo Novais
> >
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com ] On Behalf Of
> > nem chua
> > Sent: quinta-feira, 12 de Abril de 2007 14:25
> > To: Farrukh Haroon
> > Cc: Cisco certification
> > Subject: Re: OSPF over ASA transparent mode
> >
> > Nope, no dhcp snooping, just plain ports assigned to a vlan.
> >
> > Here is the diagram
> >
> > 3750 external -----------vlan10-----------------3750 external
> > > |
> > |
> > > vlan 10
> > vlan
> > > 10
> > > |
> > |
> > > ASA firewall--------------Failover--------------- ASA Firewall
> > > |
> > |
> >
> > > vlan 44 vlan
> > 44
> > > |
> > |
> > > -----------------------3750 internal switch---------------------
> >
> >
> > Here is the config on an external 3750, an internal 3750, and the
> > primary
> > asa firewall.
> >
> > 3750 external switch config:
> >
> > interface Loopback0
> > ip address 172.16.249.28 255.255.255.255
> >
> > interface Vlan10
> > ip address 172.16.249.6 255.255.255.240
> > no ip redirects
> > no ip proxy-arp
> > ip ospf priority 10
> > !
> > interface Vlan30
> > ip address 172.16.249.21 255.255.255.252
> > no ip redirects
> > no ip proxy-arp
> > ip ospf authentication message-digest
> > ip ospf message-digest-key 1 md5 7 082C424F590A1511
> > ip ospf dead-interval minimal hello-multiplier 4
> > ip ospf priority 10
> > !
> > router ospf 1
> > router-id 172.16.249.28
> > log-adjacency-changes
> > auto-cost reference-bandwidth 100000
> > timers throttle spf 10 100 5000
> > timers throttle lsa all 10 100 5000
> > timers lsa arrival 80
> > passive-interface default
> > no passive-interface Vlan10
> > no passive-interface Vlan30
> > network 172.16.249.0 0.0.0.255 area 0
> >
> >
> >
> > 3750 Internal switch config
> >
> > interface Loopback0
> > ip address 172.16.249.25 255.255.255.255
> >
> > interface Vlan44
> > ip address 172.16.249.7 255.255.255.240
> > !
> > router ospf 1
> > router-id 172.16.249.25
> > log-adjacency-changes
> > auto-cost reference-bandwidth 100000
> > timers throttle spf 10 100 5000
> > timers throttle lsa all 10 100 5000
> > timers lsa arrival 80
> > redistribute connected subnets
> > network 10.254.0.0 0.0.255.255 area 0
> > network 172.16.249.0 0.0.0.255 area 0
> >
> > ASA firewall config:
> >
> > access-list in extended permit ospf any any log
> > access-list in extended permit ip any any log
> > access-list in extended permit ip any host 224.0.0.2
> > access-list in extended permit ip any host 224.0.0.5
> > access-list in extended permit ip any host 224.0.0.6
> > access-list in extended permit ip 224.0.0.0 255.0.0.0 any
> > access-list in extended permit ip any 224.0.0.0 255.0.0.0
> > pager lines 24
> > logging enable
> > logging timestamp
> > logging console informational
> > logging buffered informational
> > logging asdm informational
> > mtu outside 1500
> > mtu inside 1500
> > ip address 172.16.249.1 255.255.255.240 standby 172.16.249.2
> > failover
> > failover lan unit secondary
> > failover lan interface failover GigabitEthernet1/3
> > failover key *****
> > failover link failover GigabitEthernet1/3
> > failover interface ip failover 192.168.254.248 255.255.255.0 standby
> > 192.168.254.249
> > no asdm history enable
> > arp timeout 14400
> > access-group in in interface outside
> > access-group in out interface outside
> > access-group in in interface inside
> > access-group in out interface inside
> > route outside 0.0.0.0 0.0.0.0 c3750-xglobal-ab 1
> > timeout xlate 3:00:00
> > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> > timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
> > timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
> > timeout uauth 0:05:00 absolute
> > no snmp-server location
> > no snmp-server contact
> > snmp-server enable traps snmp authentication linkup linkdown coldstart
> > telnet timeout 5
> > ssh timeout 5
> > console timeout 0
> > !
> > class-map inspection_default
> > match default-inspection-traffic
> > !
> > !
> > policy-map global_policy
> > class inspection_default
> > inspect dns maximum-length 512
> > inspect ftp
> > inspect h323 h225
> > inspect h323 ras
> > inspect rsh
> > inspect rtsp
> > inspect esmtp
> > inspect sqlnet
> > inspect skinny
> > inspect sunrpc
> > inspect xdmcp
> > inspect sip
> > inspect netbios
> > inspect tftp
> > !
> > service-policy global_policy global
> > Cryptochecksum:6abc4761fa7f8c39417f7bf3e4773065
> > : end
> >
> >
> >
> >
> > On 4/12/07, Farrukh Haroon <farrukhharoon@gmail.com > wrote:
> > >
> > > Nem, are you using any other security features on you switch ports
> > > connected to the ASA?
> > >
> > > Something like DHCP snooping etc.? This could sometimes cause
> > problems, so
> > > disable any security feature (if present) and try.
> > >
> > > Also don't forget to assign the management ip-address, it is
> > important.
> > >
> > > Regards
> > >
> > > Farrukh
> > >
> > > On 4/12/07, Farrukh Haroon < farrukhharoon@gmail.com> wrote:
> > > >
> > > > Hello Gustavo
> > > >
> > > > This is not true, the ASA does not 'participate' in Multicast while
> > in
> > > > transparent mode, but it *does* let multicast traffic to pass
> > through it as
> > > > long as the ACLs are properly configured
> > > >
> > > > Regards
> > > >
> > > > Farrukh
> > > >
> > > > On 4/12/07, Gustavo Novais < gustavo.novais@novabase.pt> wrote:
> > > > >
> > > > > If, as Anthony said, ASA does not support multicast... how about
> > using
> > > > > a NBMA
> > > > > or point to-multipoint non-broadcast ospf network type betwen your
> > two
> > > > > routers? If the updates are sent as unicast... you might get
> > there...
> > > > >
> > > > > HTH
> > > > >
> > > > > Gustavo Novais
> > > > >
> > > > > ________________________________
> > > > >
> > > > > De: nobody@groupstudy.com em nome de nem chua
> > > > > Enviada: qui 12-04-2007 4:57
> > > > > Para: Marvin Greenlee
> > > > > Cc: Cisco certification
> > > > > Assunto: Re: OSPF over ASA transparent mode
> > > > >
> > > > >
> > > > >
> > > > > Yep, I tried that to, but no go.
> > > > >
> > > > > I'll try to get that config and send it tomorrow.
> > > > >
> > > > > Thanks all.
> > > > >
> > > > >
> > > > > On 4/11/07, Marvin Greenlee < marvin@ipexpert.com> wrote:
> > > > > >
> > > > > > You need to permit it on the inside as well. Non TCP/UDP
> > traffic
> > > > > (like
> > > > > > EIGRP or OSPF) can be permitted with an access list.
> > > > > >
> > > > > > Add an ACL to the inside interface with a permit IP any any or
> > > > > permit ospf
> > > > > > any any and see what happens.
> > > > > >
> > > > > > Marvin Greenlee, CCIE #12237 (R&S, SP, Sec)
> > > > > > Senior Technical Instructor - IPexpert, Inc.
> > > > > > "When Will You Be an IP Expert?"
> > > > > > marvin@ipexpert.com
> > > > > > http://www.IPexpert.com <http://www.ipexpert.com/><
> > http://www.ipexpert.com/>
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: nobody@groupstudy.com [mailto: nobody@groupstudy.com] On
> > > > > Behalf Of
> > > > > > nem
> > > > > > chua
> > > > > > Sent: Wednesday, April 11, 2007 9:08 PM
> > > > > > To: anthony.sequeira@thomson.com
> > > > > > Cc: Cisco certification
> > > > > > Subject: Re: OSPF over ASA transparent mode
> > > > > >
> > > > > > Hi, thank you everyone for responding to my email.
> > > > > >
> > > > > > Anthony, now this is interesting, each interface must be in a
> > > > > seperate
> > > > > > vlan? So according to the drawing, I'm assuming each interface
> > on
> > > > > the
> > > > > > external and internal 3750 has to be a seperate vlan???
> > > > > >
> > > > > > In ASA transparent mode, I thought the entire network should be
> > one
> > > > > vlan
> > > > > > and
> > > > > > one subnet because the firewall is like a bridge between the
> > 3750
> > > > > outside
> > > > > > and inside, why would I want to use seperate vlan on each 3750
> > link?
> > > > >
> > > > > >
> > > > > > Everything else I tried. The mtu are at the default 1500 bytes.
> >
> > I
> > > > > > created
> > > > > > access list and applied it to the external interface to allow ip
> > any
> > > > > to
> > > > > > any,
> > > > > > still no go. From the debugs it looks like the inside switches
> > sees
> > > > > the
> > > > > > hellos coming from the outside, and have those neighbors in INIT
> > > > > state.
> > > > > > However the external switch does not see any hello coming from
> > the
> > > > > > internal
> > > > > > switch.
> > > > > >
> > > > > > Thanks much.
> > > > > >
> > > > > >
> > > > > >
> > > > > > 3750 external switch -----------vlan10----------------3750
> > external
> > > > > > switch
> > > > > >
> > > > > |
> > |
> > > > > > vlan
> > > > > 10 vlan
> > > > > > 10
> > > > > >
> > > > > |
> > |
> > > > > > ASA firewall--------------Failover--------------- ASA
> > > > > Firewall
> > > > > >
> > > > > |
> > |
> > > > > > vlan 10
> > > > > vlan
> > > > > > 10
> > > > > >
> > > > > |
> > |
> > > > > > 3750 internal switch--------------vlan 10----------------3750
> > > > > internal
> > > > > > switch
> > > > > >
> > > > > >
> > > > > >
> > > > > > On 4/11/07, anthony.sequeira@thomson.com
> > < anthony.sequeira@thomson.com>
> > > > > > wrote:
> > > > > > >
> > > > > > > Errr - I just realized I might have answered too quickly here
> > and
> > > > > not
> > > > > > > read your original post closely enough....
> > > > > > >
> > > > > > > It sounds like you want OSPF traffic to pass THROUGH the
> > > > > Transparent
> > > > > > > Firewall. This should be permitted as long as your Extended
> > ACL
> > > > > provides
> > > > > > > the appropriate permissions.
> > > > > > >
> > > > > > > So I would check your ACL carefully - and then check your
> > > > > guidelines on
> > > > > > > Transparent Firewalling:
> > > > > > >
> > > > > > > * Each directly connected network must be on the same subnet
> > > > > > > * A management IP address is required and must be on the same
> > > > > subnet
> > > > > > > * Each interface must be a different VLAN interface
> > > > > > >
> > > > > > > Anthony J. Sequeira
> > > > > > > #15626
> > > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: nobody@groupstudy.com [mailto: nobody@groupstudy.com ]
> > On
> > > > > Behalf Of
> > > > > > > Sequeira, Anthony (NETg)
> > > > > > > Sent: Wednesday, April 11, 2007 5:35 PM
> > > > > > > To: nemthuduc@gmail.com; ccielab@groupstudy.com
> > > > > > > Subject: RE: OSPF over ASA transparent mode
> > > > > > >
> > > > > > > The following features are not supported in Transparent Mode:
> > > > > > >
> > > > > > > * DYNAMIC ROUTING PROTOCOLS
> > > > > > > * NAT
> > > > > > > * IPv6
> > > > > > > * DHCP Relay
> > > > > > > * QoS
> > > > > > > * Multicast
> > > > > > > * VPN Termination for Through Traffic
> > > > > > >
> > > > > > > Anthony J Sequeira
> > > > > > > #15626
> > > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: nobody@groupstudy.com [mailto: nobody@groupstudy.com ]
> > On
> > > > > Behalf Of
> > > > > > > nem chua
> > > > > > > Sent: Wednesday, April 11, 2007 4:55 PM
> > > > > > > To: Cisco certification
> > > > > > > Subject: OSPF over ASA transparent mode
> > > > > > >
> > > > > > > Hello,
> > > > > > >
> > > > > > > Anyone ran this before? When I had the asa firewall run ospf
> > it
> > > > > works
> > > > > > > fine. I tried running asa firewall in transparent mode,
> > > > > access-list
> > > > > > > wide
> > > > > > > open for ip any any, and ospf any any. All traffic pass fine,
> > but
> > > > > ospf
> > > > > > > will
> > > > > > > not form an adjacency and stuck in INIT state. If I plug the
> > > > > router on
> > > > > > > each
> > > > > > > end directly, bypassing the firewall it works fine. Any idea?
> >
> > > > > > >
> > > > > > >
> > > > >
> > _______________________________________________________________________
> > > > > > > Subscription information may be found at:
> > > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > > > >
> > > > > > >
> > > > >
> > _______________________________________________________________________
> > > > > > > Subscription information may be found at:
> > > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > > >
> > > > > >
> > > > >
> > _______________________________________________________________________
> > > > > > Subscription information may be found at:
> > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > >
> > > > >
> > _______________________________________________________________________
> > > > >
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > >
> > > > >
> > _______________________________________________________________________
> > > > >
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:35 ART