Re: ASA FW blocking OSPF packet

i assume this is the config for the spoke router ?
i noticed ip nhrp map multicast dynamic and ip nhrp map multicast
193.xxx.xxx.xx .

The former is meant to be on the hub and the latter should be on the
spoke , i havent tried both of them together , i dont know if this is
deliberate , if it is can you explain the logic behind using them
together .

I think that may just be the issue.

On 10/17/10, sameer inam <i_sameer_at_hotmail.com> wrote:
> yes ospf on GRE tunnel interface , problem is there no Ospf activity on
> router after depoying the ASA , if I removed the ASA font of the router then
> OSPF bring up . please see belwo the configuration of router
>
> crypto isakmp policy 10
> encr 3des
> hash md5
> authentication pre-share
> group 2
> crypto isakmp key cxxxx.xxx address 0.0.0.0 0.0.0.0
> !
> !
> crypto ipsec transform-set dmvpnset esp-3des esp-sha-hmac
> !
> crypto ipsec profile CISCO
> set transform-set dmvpnset
> !
> !
> !
> !
> interface Loopback1
> ip address 10.0.255.3 255.255.255.255
> load-interval 30
> !
> interface Tunnel1
> description
> ip address 192.168.xxx.xx 255.255.255.0
> no ip redirects
> ip mtu 1400
> ip nhrp authentication dmvpn
> ip nhrp map multicast dynamic
> ip nhrp map multicast 193.xxx.xxx.xx
> ip nhrp map 192.168.xxx.xx 193.xx.xxx.xx
> ip nhrp network-id 99
> ip nhrp holdtime 300
> ip nhrp nhs 192.168.253.1
> no ip route-cache cef
> ip route-cache flow
> ip tcp adjust-mss 1360
> ip ospf network broadcast
> ip ospf hello-interval 30
> ip ospf priority 0
> load-interval 30
> qos pre-classify
> tunnel source FastEthernet0/0
> tunnel mode gre multipoint
> tunnel key 100000
> tunnel path-mtu-discovery
> tunnel protection ipsec profile CISCO
> service-policy output BRANCH-LAN
> !
> interface FastEthernet0/0
> description
> ip address xx.xx.xx.xx 255.255.x.xxx
> ip nbar protocol-discovery
>
> ip flow ingress
> ip flow egress
> ip nat outside
> ip virtual-reassembly
> ip route-cache flow
> load-interval 30
> duplex auto
> speed auto
> nterface FastEthernet0/1
> ip address 10.0.xx.xx 255.255.255.0
> ip nbar protocol-discovery
> ip flow ingress
> ip flow egress
> ip nat inside
> ip virtual-reassembly max-reassemblies 30
> ip route-cache flow
> load-interval 30
> duplex auto
> speed auto
> outer ospf 1
> router-id 10.0.255.3
> log-adjacency-changes
> area 108 nssa no-summary
> network 10.0.xx.xx. 0.0.0.0 area 108
> network 10.0.xxx.xx 0.0.0.0 area 108
> network 192.168.xx.xx 0.0.0.0 area 108
>
>
>
>
>
>
>
>
>
> Date: Sun, 17 Oct 2010 13:21:14 -0500
> Subject: Re: ASA FW blocking OSPF packet
> From: baker.garry_at_gmail.com
> To: i_sameer_at_hotmail.com
> CC: ccielab_at_groupstudy.com
>
> will need to see more about your configs and/or simple diagram maybe, do you
> have ospf on the tunnel interface?
>
> if so what is the neighbor state?
>
> do you have connectivity to the ospf neighbor/neighbors?
>
> --
> Garry L. Baker
>
> "There is no 'patch' for stupidity." - www.sqlsecurity.com
>
>
>
> On Sun, Oct 17, 2010 at 1:03 PM, sameer inam <i_sameer_at_hotmail.com> wrote:
>
>
> running OPSF over the dmvpn ipsec tunnel.
>
>
>
>
>
>
>
>
>
>
>
> Date: Sun, 17 Oct 2010 11:06:26 -0500
> Subject: Re: ASA FW blocking OSPF packet
> From: baker.garry_at_gmail.com
> To: i_sameer_at_hotmail.com
> CC: ccielab_at_groupstudy.com
>
>
>
>
> are you trying to peer with the cisco router as an ospf adj or run ospf over
> the dmvpn ipsec tunnel?
> --
> Garry L. Baker
>
> "There is no 'patch' for stupidity." - www.sqlsecurity.com
>
>
>
> On Sun, Oct 17, 2010 at 10:55 AM, sameer inam <i_sameer_at_hotmail.com> wrote:
>
> Hello Expert,
>
> I m trying to install ASA 5505 facing ISP using /30 ip subnet and inside
> port
> connected to Cisco router with public /29 IP subnet . On router we have
> configured DMVPN . issue is Ipsec works Fine but OSPF on cisco router is
> not
> up after installing the ASA , do you guys have any idea how I can fix this
> issue ?
>
>
> Note : There is noting configured on ASA its just having two public IP
> addreses. /30 and /29
>
> kInd regards,
>
> Sameer
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sun Oct 17 2010 - 22:15:22 ART