Re: ASA FW blocking OSPF packet

when the ASA is not there the tunnel int shows a neighbor?

seems that the ospf adj should be over the tunnel, and the ASA will pass
everything that goes through the tunnel

what is the neighbor that comes up without the ASA in the front or middle of
the adj i assume would be the case

can you show the show ip ospf int br and show ip ospf neigh before and
after?

i am just not seeing how the ASA comes into play if the ospf is really going
over the tunnel

--
Garry L. Baker
"There is no 'patch' for stupidity." - www.sqlsecurity.com
On Sun, Oct 17, 2010 at 1:44 PM, sameer inam <i_sameer_at_hotmail.com> wrote:
>  yes  ospf on GRE tunnel interface , problem is there no Ospf activity on
> router after depoying the ASA , if I removed the ASA font of the router then
> OSPF bring up . please  see belwo the configuration of router
>
> crypto isakmp policy 10
>  encr 3des
>  hash md5
>  authentication pre-share
>  group 2
> crypto isakmp key cxxxx.xxx address 0.0.0.0 0.0.0.0
> !
> !
> crypto ipsec transform-set dmvpnset esp-3des esp-sha-hmac
> !
> crypto ipsec profile CISCO
>  set transform-set dmvpnset
> !
> !
> !
> !
> interface Loopback1
>  ip address 10.0.255.3 255.255.255.255
>  load-interval 30
> !
> interface Tunnel1
>  description
>  ip address 192.168.xxx.xx 255.255.255.0
>  no ip redirects
>  ip mtu 1400
>  ip nhrp authentication dmvpn
>  ip nhrp map multicast dynamic
>  ip nhrp map multicast 193.xxx.xxx.xx
>  ip nhrp map 192.168.xxx.xx 193.xx.xxx.xx
>  ip nhrp network-id 99
>  ip nhrp holdtime 300
>  ip nhrp nhs 192.168.253.1
>  no ip route-cache cef
>  ip route-cache flow
>  ip tcp adjust-mss 1360
>  ip ospf network broadcast
>  ip ospf hello-interval 30
>  ip ospf priority 0
>  load-interval 30
>  qos pre-classify
>  tunnel source FastEthernet0/0
>  tunnel mode gre multipoint
>  tunnel key 100000
>  tunnel path-mtu-discovery
>  tunnel protection ipsec profile CISCO
>  service-policy output BRANCH-LAN
> !
> interface FastEthernet0/0
>  description
>  ip address xx.xx.xx.xx 255.255.x.xxx
>  ip nbar protocol-discovery
>
> ip flow ingress
> ip flow egress
> ip nat outside
> ip virtual-reassembly
> ip route-cache flow
> load-interval 30
> duplex auto
> speed auto
> nterface FastEthernet0/1
> ip address 10.0.xx.xx 255.255.255.0
> ip nbar protocol-discovery
> ip flow ingress
> ip flow egress
> ip nat inside
> ip virtual-reassembly max-reassemblies 30
> ip route-cache flow
> load-interval 30
> duplex auto
> speed auto
> outer ospf 1
> router-id 10.0.255.3
> log-adjacency-changes
> area 108 nssa no-summary
> network 10.0.xx.xx. 0.0.0.0 area 108
> network 10.0.xxx.xx 0.0.0.0 area 108
> network 192.168.xx.xx 0.0.0.0 area 108
>
>
>
>
>
>
> ------------------------------
> Date: Sun, 17 Oct 2010 13:21:14 -0500
>
> Subject: Re: ASA FW blocking OSPF packet
> From: baker.garry_at_gmail.com
> To: i_sameer_at_hotmail.com
> CC: ccielab_at_groupstudy.com
>
> will need to see more about your configs and/or simple diagram maybe, do
> you have ospf on the tunnel interface?
>
> if so what is the neighbor state?
>
> do you have connectivity to the ospf neighbor/neighbors?
>
>
> --
> Garry L. Baker
>
> "There is no 'patch' for stupidity." - www.sqlsecurity.com
>
>
> On Sun, Oct 17, 2010 at 1:03 PM, sameer inam <i_sameer_at_hotmail.com> wrote:
>
> running OPSF over the dmvpn ipsec tunnel.
>
>
>
>
>
>
>
> ------------------------------
> Date: Sun, 17 Oct 2010 11:06:26 -0500
> Subject: Re: ASA FW blocking OSPF packet
> From: baker.garry_at_gmail.com
> To: i_sameer_at_hotmail.com
> CC: ccielab_at_groupstudy.com
>
>
> are you trying to peer with the cisco router as an ospf adj or run ospf
> over the dmvpn ipsec tunnel?
>
> --
> Garry L. Baker
>
> "There is no 'patch' for stupidity." - www.sqlsecurity.com
>
>
> On Sun, Oct 17, 2010 at 10:55 AM, sameer inam <i_sameer_at_hotmail.com>wrote:
>
> Hello Expert,
>
> I m trying to install ASA 5505  facing ISP using /30 ip subnet and inside
> port
> connected to Cisco router with public /29 IP subnet . On router we have
> configured DMVPN . issue is Ipsec  works Fine but OSPF on cisco router is
> not
> up after installing the ASA , do you  guys have any idea how I can fix this
> issue ?
>
>
> Note : There is noting  configured on ASA its just having two public IP
> addreses. /30 and /29
>
> kInd regards,
>
> Sameer
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net