Solved

Cisco ASA 5500 OSPF Default Route Injection with Route Map

Posted on 2010-08-21
6
2,180 Views
Last Modified: 2012-05-10
Hi,
I am trying to distribute default route from Cisco ASA 5500 based on route maps matching ip address. From my understanding, as long there is a match in the routing table, a default route would be given out, however I am not able to see it. I have attached the a portion of the running configuration of the Cisco ASA and the show ip routes:

Switch 1 (Connected to the Outside Interface of the ASA)

Switch#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS
level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static
route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     172.17.0.0/24 is subnetted, 1 subnets
C       172.17.36.0 is directly connected, Loopback0
     172.30.0.0/16 is variably subnetted, 3 subnets, 2 masks
O E1    172.30.20.252/30 [110/11] via 172.30.32.17, 2d00h, Vlan66
C       172.30.32.16/29 is directly connected, Vlan66
O E1    172.30.32.8/29 [110/12] via 172.30.32.17, 00:03:13, Vlan66
Switch#sh ip osp
Switch#sh ip ospf nei
Switch#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address
Interface
172.30.32.17      1   FULL/BDR        00:00:35    172.30.32.17    Vlan66


Switch 2 (Connected to the Inside Interface of the ASA)

Switch#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS
level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static
route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     172.17.0.0/24 is subnetted, 1 subnets
O E1    172.17.36.0 [110/1001] via 172.30.20.253, 00:02:10, Vlan66
     172.30.0.0/16 is variably subnetted, 3 subnets, 2 masks
C       172.30.20.252/30 is directly connected, Vlan66
O E1    172.30.32.16/29 [110/1001] via 172.30.20.253, 00:02:10, Vlan66
C       172.30.32.8/29 is directly connected, Vlan100
Switch#sh ip ospf nei
Switch#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address
Interface
172.30.20.253     1   FULL/BDR        00:00:31    172.30.20.253   Vlan66


ASA (Show Route)

ITE-CW-ASA01# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS
inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

O IA 172.17.36.0 255.255.255.0 [110/11] via 172.30.32.18, 48:12:41,
Outside
C    172.30.20.252 255.255.255.252 is directly connected, Inside
C    172.30.32.16 255.255.255.248 is directly connected, Outside
O    172.30.32.8 255.255.255.248 [110/11] via 172.30.20.254, 0:07:14,
Inside


ASA Partial Running Configuration:

interface GigabitEthernet0/0
 nameif Outside
 security-level 0
 ip address 172.30.32.17 255.255.255.248
!
interface GigabitEthernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
interface Redundant1
 member-interface GigabitEthernet0/1
 member-interface GigabitEthernet0/2
 nameif Inside
 security-level 100
 ip address 172.30.20.253 255.255.255.252

access-list 2 standard permit 172.17.36.0 255.255.255.0
access-list 1 standard permit 172.30.32.16 255.255.255.248
access-list 101 extended permit ip any any

access-group 101 in interface Outside
!
route-map Internet permit 10
 match ip address 1
 set metric 500
 set metric-type type-1
!
route-map CE_Internet permit 10
 match ip address 2
 set metric 350
 set metric-type type-1
!
!
router ospf 99
 router-id 172.20.254.6
 network 172.20.254.0 255.255.255.248 area 0
 log-adj-changes
 redistribute connected metric-type 1 subnets
 redistribute ospf 100 metric 1000 metric-type 1 subnets
 default-information originate route-map CE_Internet
!
router ospf 100
 router-id 172.30.32.9
 network 172.30.32.8 255.255.255.248 area 0
 log-adj-changes
 redistribute connected subnets
 default-information originate route-map Internet
!

I am not sure for the reason the ASA is not able to inject the default routes to the switch. I would appreaciate if anyone could point out what might else might be the issue.

Thanks.
0
Comment
Question by:cwtang
  • 3
  • 3
6 Comments
 
LVL 24

Expert Comment

by:rfc1180
Comment Utility
I am not sure what it is you are trying to accomplish, I believe you want some type of redundancy for your Internet Connections. Not sure why you are using 2 OSPF processes, really not need for what I think you are trying to accomplish (But then again, you have no questions related to this, so I am assuming you have a reason for the difference process IDs for OSPF).

>I am not sure for the reason the ASA is not able to inject the default routes to the switch
it is because you do not have a default route in your routing table (At least it might if you are only showing us what you want us to see). If there is no default in the routing table of the ASA and you want the ASA to advertise the default regardless if the default is in the table or not, then you should add always:

default-information originate

router ospf 99
 router-id 172.20.254.6
 network 172.20.254.0 255.255.255.248 area 0
 log-adj-changes
 redistribute connected metric-type 1 subnets
 redistribute ospf 100 metric 1000 metric-type 1 subnets
 default-information originate always route-map CE_Internet
!
router ospf 100
 router-id 172.30.32.9
 network 172.30.32.8 255.255.255.248 area 0
 log-adj-changes
 redistribute connected subnets
 default-information originate always route-map Internet

Billy
0
 

Author Comment

by:cwtang
Comment Utility
Hi,
You are correct that I do wnat to create redundancy. I have tried to make use of the "always" command earlier however I am not able to get the default routes injected into the switch too. However, if i was to remove the route maps and use the "always", the default routes would be injected into the switch.

The reason for the route maps would be to create redundancy and remove the default routes if the requirement is not met. Not sure if the access list is created correctly to match the route map.

Thanks.


0
 
LVL 24

Expert Comment

by:rfc1180
Comment Utility
Yeah dude, I must be tired. There is something wrong with the ACLs:


access-list 2 standard permit 172.17.36.0 255.255.255.0
access-list 1 standard permit 172.30.32.16 255.255.255.248

They should be:


access-list 2 standard permit 172.17.36.0 0.0.0.255
access-list 1 standard permit 172.30.32.16 0.0.0.7

Billy
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:cwtang
Comment Utility
Hi,
Not sure if you are aware that the access-list is being applied on Cisco ASA and not Cisco router. I do believe that ASA does not use wild card like ios routers/switch.
0
 
LVL 24

Accepted Solution

by:
rfc1180 earned 500 total points
Comment Utility
yup, that is right; they would be subnet mask. At any rate, I can not honestly tell you why it is not working with the route-map. I just checked it on a lab it is works fine with your configs, for the exception of the ACL; just forgot that you had an ASA.

Maybe you are running into a bug, as I said, your config works in a lab with 1 router and 2 switches.


Billy
0
 

Author Closing Comment

by:cwtang
Comment Utility
Hi,
I have created a tac case and cisco has confirmed that the feature is broken.
Thanks for the assistance.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now