From: nem chua (nemthuduc@gmail.com)
Date: Fri Apr 13 2007 - 11:42:34 ART
Hey, it works if I do point to multipoint nonbroadcast over transparent
mode. Very cool.
Thank you for all your help.
On 4/12/07, Gustavo Novais <gustavo.novais@novabase.pt> wrote:
>
> Go figure...
>
> Perhaps it is too late now, but just for curiosity, what about the thing
> I said earlier about forcing the ospf hellos to be unicasted? Did it
> work?
>
> Sorry about the confusion earlier about FWSM and ASA... my bad :(
>
> I'm glad you have the problem solved!
>
> Gustavo Novais
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> nem chua
> Sent: quinta-feira, 12 de Abril de 2007 18:46
> To: Farrukh Haroon
> Cc: Cisco certification
> Subject: Re: OSPF over ASA transparent mode
>
> I think I found a cisco bug with 7.1.2. Looks like in transparent mode,
> multicast was not passed somehow from the inside interface to the
> external
> interface. We had gig 0/0 as the outside, and 1/2 as the inside, and we
> can't get ospf to establish adjacency. The inside interface saw the
> hellos,
> but the outside interface did not. When I put both the inside and
> outside
> interface on the same slot 0, it works.
>
> Cisco didn't seem to be aware of this bug, our Tacs engineer recommended
> upgrading to the latest release, but didn't find anything specific to
> this
> issue in the latest code. I have not yet loaded the new code to confirm
> if
> it would fix the issue, so the work around is to put both the outside
> and
> inside interface in the same slot.
>
> Thanks for all your help.
>
>
>
>
> On 4/12/07, nem chua <nemthuduc@gmail.com> wrote:
> >
> > I think I'll try the upgrading software path. I talked to cisco and
> was
> > told the version 7.1.2 shouldn't be an issue with OSPF, but worth a
> try.
> >
> > I also removed authentication, but no luck. I'll post to the group if
> the
> > upgrade works.
> >
> > Thank you everyone for your response.
> >
> >
> > On 4/12/07, Farrukh Haroon <farrukhharoon@gmail.com> wrote:
> > >
> > > Dear Gustavo
> > >
> > > I think you are confusing something here, or I am :)
> > >
> > > Nem, has ASA(s) and not FWSM(s)
> > >
> > > Nem, I would suggest to try n test your setup with one firewall
> only,
> > > removing all fail over configuration and other extra things (if
> possible,
> > > assuming this is not a production environment)
> > >
> > > also the ASA software has loads of bugs in it, so try upgrading to
> 7.2(2)
> > > the latest public release (if possible)
> > >
> > > and last but not least, try OSPF without authentication.
> > >
> > > Regards
> > >
> > > Farrukh
> > >
> > > On 4/12/07, Gustavo Novais <gustavo.novais@novabase.pt > wrote:
> > > >
> > > > Hi again
> > > >
> > > > Where are your interfaces and bridge groups definitions?
> > > >
> > > > See
> > > >
> http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_co
> > > >
> > > > nfiguration_guide_chapter09186a0080602ff7.html#wp1047426 for an
> > > > example
> > > >
> > > >
> > > > I'm curious regarding spanning-tree... what is its current state?
> > > > Which
> > > > port is blocking? Is it the one leading to the standby firewall?
> On
> > > > Vlan
> > > > 10 side, or vlan 44?
> > > >
> > > >
> > > > Gustavo Novais
> > > >
> > > >
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com ] On
> Behalf
> > > > Of
> > > > nem chua
> > > > Sent: quinta-feira, 12 de Abril de 2007 14:25
> > > > To: Farrukh Haroon
> > > > Cc: Cisco certification
> > > > Subject: Re: OSPF over ASA transparent mode
> > > >
> > > > Nope, no dhcp snooping, just plain ports assigned to a vlan.
> > > >
> > > > Here is the diagram
> > > >
> > > > 3750 external -----------vlan10-----------------3750 external
> > > > > |
> > > > |
> > > > > vlan 10
> > > > vlan
> > > > > 10
> > > > > |
> > > > |
> > > > > ASA firewall--------------Failover--------------- ASA
> > > > Firewall
> > > > > |
> > > > |
> > > >
> > > > > vlan 44
> vlan
> > > >
> > > > 44
> > > > > |
> > > > |
> > > > > -----------------------3750 internal switch---------------------
> > > >
> > > >
> > > > Here is the config on an external 3750, an internal 3750, and the
> > > > primary
> > > > asa firewall.
> > > >
> > > > 3750 external switch config:
> > > >
> > > > interface Loopback0
> > > > ip address 172.16.249.28 255.255.255.255
> > > >
> > > > interface Vlan10
> > > > ip address 172.16.249.6 255.255.255.240
> > > > no ip redirects
> > > > no ip proxy-arp
> > > > ip ospf priority 10
> > > > !
> > > > interface Vlan30
> > > > ip address 172.16.249.21 255.255.255.252
> > > > no ip redirects
> > > > no ip proxy-arp
> > > > ip ospf authentication message-digest
> > > > ip ospf message-digest-key 1 md5 7 082C424F590A1511
> > > > ip ospf dead-interval minimal hello-multiplier 4
> > > > ip ospf priority 10
> > > > !
> > > > router ospf 1
> > > > router-id 172.16.249.28
> > > > log-adjacency-changes
> > > > auto-cost reference-bandwidth 100000
> > > > timers throttle spf 10 100 5000
> > > > timers throttle lsa all 10 100 5000
> > > > timers lsa arrival 80
> > > > passive-interface default
> > > > no passive-interface Vlan10
> > > > no passive-interface Vlan30
> > > > network 172.16.249.0 0.0.0.255 area 0
> > > >
> > > >
> > > >
> > > > 3750 Internal switch config
> > > >
> > > > interface Loopback0
> > > > ip address 172.16.249.25 255.255.255.255
> > > >
> > > > interface Vlan44
> > > > ip address 172.16.249.7 255.255.255.240
> > > > !
> > > > router ospf 1
> > > > router-id 172.16.249.25
> > > > log-adjacency-changes
> > > > auto-cost reference-bandwidth 100000
> > > > timers throttle spf 10 100 5000
> > > > timers throttle lsa all 10 100 5000
> > > > timers lsa arrival 80
> > > > redistribute connected subnets
> > > > network 10.254.0.0 0.0.255.255 area 0
> > > > network 172.16.249.0 0.0.0.255 area 0
> > > >
> > > > ASA firewall config:
> > > >
> > > > access-list in extended permit ospf any any log
> > > > access-list in extended permit ip any any log
> > > > access-list in extended permit ip any host 224.0.0.2
> > > > access-list in extended permit ip any host 224.0.0.5
> > > > access-list in extended permit ip any host 224.0.0.6
> > > > access-list in extended permit ip 224.0.0.0 255.0.0.0 any
> > > > access-list in extended permit ip any 224.0.0.0 255.0.0.0
> > > > pager lines 24
> > > > logging enable
> > > > logging timestamp
> > > > logging console informational
> > > > logging buffered informational
> > > > logging asdm informational
> > > > mtu outside 1500
> > > > mtu inside 1500
> > > > ip address 172.16.249.1 255.255.255.240 standby 172.16.249.2
> > > > failover
> > > > failover lan unit secondary
> > > > failover lan interface failover GigabitEthernet1/3
> > > > failover key *****
> > > > failover link failover GigabitEthernet1/3
> > > > failover interface ip failover 192.168.254.248 255.255.255.0
> standby
> > > > 192.168.254.249
> > > > no asdm history enable
> > > > arp timeout 14400
> > > > access-group in in interface outside
> > > > access-group in out interface outside
> > > > access-group in in interface inside
> > > > access-group in out interface inside
> > > > route outside 0.0.0.0 0.0.0.0 c3750-xglobal-ab 1
> > > > timeout xlate 3:00:00
> > > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> > > > timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
> > > > timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
> > > > timeout uauth 0:05:00 absolute
> > > > no snmp-server location
> > > > no snmp-server contact
> > > > snmp-server enable traps snmp authentication linkup linkdown
> coldstart
> > > >
> > > > telnet timeout 5
> > > > ssh timeout 5
> > > > console timeout 0
> > > > !
> > > > class-map inspection_default
> > > > match default-inspection-traffic
> > > > !
> > > > !
> > > > policy-map global_policy
> > > > class inspection_default
> > > > inspect dns maximum-length 512
> > > > inspect ftp
> > > > inspect h323 h225
> > > > inspect h323 ras
> > > > inspect rsh
> > > > inspect rtsp
> > > > inspect esmtp
> > > > inspect sqlnet
> > > > inspect skinny
> > > > inspect sunrpc
> > > > inspect xdmcp
> > > > inspect sip
> > > > inspect netbios
> > > > inspect tftp
> > > > !
> > > > service-policy global_policy global
> > > > Cryptochecksum:6abc4761fa7f8c39417f7bf3e4773065
> > > > : end
> > > >
> > > >
> > > >
> > > >
> > > > On 4/12/07, Farrukh Haroon < farrukhharoon@gmail.com > wrote:
> > > > >
> > > > > Nem, are you using any other security features on you switch
> ports
> > > > > connected to the ASA?
> > > > >
> > > > > Something like DHCP snooping etc.? This could sometimes cause
> > > > problems, so
> > > > > disable any security feature (if present) and try.
> > > > >
> > > > > Also don't forget to assign the management ip-address, it is
> > > > important.
> > > > >
> > > > > Regards
> > > > >
> > > > > Farrukh
> > > > >
> > > > > On 4/12/07, Farrukh Haroon < farrukhharoon@gmail.com> wrote:
> > > > > >
> > > > > > Hello Gustavo
> > > > > >
> > > > > > This is not true, the ASA does not 'participate' in Multicast
> > > > while
> > > > in
> > > > > > transparent mode, but it *does* let multicast traffic to pass
> > > > through it as
> > > > > > long as the ACLs are properly configured
> > > > > >
> > > > > > Regards
> > > > > >
> > > > > > Farrukh
> > > > > >
> > > > > > On 4/12/07, Gustavo Novais < gustavo.novais@novabase.pt>
> wrote:
> > > > > > >
> > > > > > > If, as Anthony said, ASA does not support multicast... how
> about
> > > >
> > > > using
> > > > > > > a NBMA
> > > > > > > or point to-multipoint non-broadcast ospf network type
> betwen
> > > > your
> > > > two
> > > > > > > routers? If the updates are sent as unicast... you might get
> > > > there...
> > > > > > >
> > > > > > > HTH
> > > > > > >
> > > > > > > Gustavo Novais
> > > > > > >
> > > > > > > ________________________________
> > > > > > >
> > > > > > > De: nobody@groupstudy.com em nome de nem chua
> > > > > > > Enviada: qui 12-04-2007 4:57
> > > > > > > Para: Marvin Greenlee
> > > > > > > Cc: Cisco certification
> > > > > > > Assunto: Re: OSPF over ASA transparent mode
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Yep, I tried that to, but no go.
> > > > > > >
> > > > > > > I'll try to get that config and send it tomorrow.
> > > > > > >
> > > > > > > Thanks all.
> > > > > > >
> > > > > > >
> > > > > > > On 4/11/07, Marvin Greenlee < marvin@ipexpert.com> wrote:
> > > > > > > >
> > > > > > > > You need to permit it on the inside as well. Non TCP/UDP
> > > > traffic
> > > > > > > (like
> > > > > > > > EIGRP or OSPF) can be permitted with an access list.
> > > > > > > >
> > > > > > > > Add an ACL to the inside interface with a permit IP any
> any or
> > > > > > > permit ospf
> > > > > > > > any any and see what happens.
> > > > > > > >
> > > > > > > > Marvin Greenlee, CCIE #12237 (R&S, SP, Sec)
> > > > > > > > Senior Technical Instructor - IPexpert, Inc.
> > > > > > > > "When Will You Be an IP Expert?"
> > > > > > > > marvin@ipexpert.com
> > > > > > > > http://www.IPexpert.com
> <http://www.ipexpert.com/><http://www.ipexpert.com/
> > > > >
> > > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: nobody@groupstudy.com [mailto:
> nobody@groupstudy.com] On
> > > > > > > Behalf Of
> > > > > > > > nem
> > > > > > > > chua
> > > > > > > > Sent: Wednesday, April 11, 2007 9:08 PM
> > > > > > > > To: anthony.sequeira@thomson.com
> > > > > > > > Cc: Cisco certification
> > > > > > > > Subject: Re: OSPF over ASA transparent mode
> > > > > > > >
> > > > > > > > Hi, thank you everyone for responding to my email.
> > > > > > > >
> > > > > > > > Anthony, now this is interesting, each interface must be
> in a
> > > > > > > seperate
> > > > > > > > vlan? So according to the drawing, I'm assuming each
> > > > interface
> > > > on
> > > > > > > the
> > > > > > > > external and internal 3750 has to be a seperate vlan???
> > > > > > > >
> > > > > > > > In ASA transparent mode, I thought the entire network
> should
> > > > be
> > > > one
> > > > > > > vlan
> > > > > > > > and
> > > > > > > > one subnet because the firewall is like a bridge between
> the
> > > > 3750
> > > > > > > outside
> > > > > > > > and inside, why would I want to use seperate vlan on each
> 3750
> > > >
> > > > link?
> > > > > > >
> > > > > > > >
> > > > > > > > Everything else I tried. The mtu are at the default 1500
> > > > bytes.
> > > > I
> > > > > > > > created
> > > > > > > > access list and applied it to the external interface to
> allow
> > > > ip
> > > > any
> > > > > > > to
> > > > > > > > any,
> > > > > > > > still no go. From the debugs it looks like the inside
> > > > switches
> > > > sees
> > > > > > > the
> > > > > > > > hellos coming from the outside, and have those neighbors
> in
> > > > INIT
> > > > > > > state.
> > > > > > > > However the external switch does not see any hello coming
> from
> > > >
> > > > the
> > > > > > > > internal
> > > > > > > > switch.
> > > > > > > >
> > > > > > > > Thanks much.
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > 3750 external switch
> -----------vlan10----------------3750
> > > > external
> > > > > > > > switch
> > > > > > > >
> > > > > > > |
> > > > |
> > > > > > > > vlan
> > > > > > >
> > > > 10 vlan
> > > > > > > > 10
> > > > > > > >
> > > > > > > |
> > > > |
> > > > > > > > ASA firewall--------------Failover---------------
> ASA
> > > > > > > Firewall
> > > > > > > >
> > > > > > > |
> > > > |
> > > > > > > > vlan 10
> > > > > > > vlan
> > > > > > > > 10
> > > > > > > >
> > > > > > > |
> > > > |
> > > > > > > > 3750 internal switch--------------vlan
> 10----------------3750
> > > > > > > internal
> > > > > > > > switch
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > On 4/11/07, anthony.sequeira@thomson.com
> > > > < anthony.sequeira@thomson.com>
> > > > > > > > wrote:
> > > > > > > > >
> > > > > > > > > Errr - I just realized I might have answered too quickly
> > > > here
> > > > and
> > > > > > > not
> > > > > > > > > read your original post closely enough....
> > > > > > > > >
> > > > > > > > > It sounds like you want OSPF traffic to pass THROUGH the
> > > > > > > Transparent
> > > > > > > > > Firewall. This should be permitted as long as your
> Extended
> > > > ACL
> > > > > > > provides
> > > > > > > > > the appropriate permissions.
> > > > > > > > >
> > > > > > > > > So I would check your ACL carefully - and then check
> your
> > > > > > > guidelines on
> > > > > > > > > Transparent Firewalling:
> > > > > > > > >
> > > > > > > > > * Each directly connected network must be on the same
> subnet
> > > > > > > > > * A management IP address is required and must be on the
> > > > same
> > > > > > > subnet
> > > > > > > > > * Each interface must be a different VLAN interface
> > > > > > > > >
> > > > > > > > > Anthony J. Sequeira
> > > > > > > > > #15626
> > > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: nobody@groupstudy.com [mailto:
> nobody@groupstudy.com ]
> > > > On
> > > > > > > Behalf Of
> > > > > > > > > Sequeira, Anthony (NETg)
> > > > > > > > > Sent: Wednesday, April 11, 2007 5:35 PM
> > > > > > > > > To: nemthuduc@gmail.com ; ccielab@groupstudy.com
> > > > > > > > > Subject: RE: OSPF over ASA transparent mode
> > > > > > > > >
> > > > > > > > > The following features are not supported in Transparent
> > > > Mode:
> > > > > > > > >
> > > > > > > > > * DYNAMIC ROUTING PROTOCOLS
> > > > > > > > > * NAT
> > > > > > > > > * IPv6
> > > > > > > > > * DHCP Relay
> > > > > > > > > * QoS
> > > > > > > > > * Multicast
> > > > > > > > > * VPN Termination for Through Traffic
> > > > > > > > >
> > > > > > > > > Anthony J Sequeira
> > > > > > > > > #15626
> > > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: nobody@groupstudy.com [mailto:
> nobody@groupstudy.com ]
> > > > On
> > > > > > > Behalf Of
> > > > > > > > > nem chua
> > > > > > > > > Sent: Wednesday, April 11, 2007 4:55 PM
> > > > > > > > > To: Cisco certification
> > > > > > > > > Subject: OSPF over ASA transparent mode
> > > > > > > > >
> > > > > > > > > Hello,
> > > > > > > > >
> > > > > > > > > Anyone ran this before? When I had the asa firewall run
> > > > ospf
> > > > it
> > > > > > > works
> > > > > > > > > fine. I tried running asa firewall in transparent mode,
> > > > > > > access-list
> > > > > > > > > wide
> > > > > > > > > open for ip any any, and ospf any any. All traffic pass
> > > > fine,
> > > > but
> > > > > > > ospf
> > > > > > > > > will
> > > > > > > > > not form an adjacency and stuck in INIT state. If I
> plug
> > > > the
> > > > > > > router on
> > > > > > > > > each
> > > > > > > > > end directly, bypassing the firewall it works fine. Any
> > > > idea?
> > > > > > > > >
> > > > > > > > >
> > > > > > >
> > > >
> > > >
> _______________________________________________________________________
> > > > > > > > > Subscription information may be found at:
> > > > > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > > > > > >
> > > > > > > > >
> > > > > > >
> > > >
> _______________________________________________________________________
> > > >
> > > > > > > > > Subscription information may be found at:
> > > > > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > >
> > > >
> _______________________________________________________________________
> > > > > > > > Subscription information may be found at:
> > > > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > > > >
> > > > > > >
> > > >
> > > >
> _______________________________________________________________________
> > > > > > >
> > > > > > > Subscription information may be found at:
> > > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > > > >
> > > > > > >
> > > >
> _______________________________________________________________________
> > > >
> > > > > > >
> > > > > > > Subscription information may be found at:
> > > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> _______________________________________________________________________
> > > >
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:35 ART