Solved

Cisco ASA 5500 OSPF Default Route Injection with Route Map

Posted on 2010-08-21
6
2,209 Views
Last Modified: 2012-05-10
Hi,
I am trying to distribute default route from Cisco ASA 5500 based on route maps matching ip address. From my understanding, as long there is a match in the routing table, a default route would be given out, however I am not able to see it. I have attached the a portion of the running configuration of the Cisco ASA and the show ip routes:

Switch 1 (Connected to the Outside Interface of the ASA)

Switch#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS
level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static
route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     172.17.0.0/24 is subnetted, 1 subnets
C       172.17.36.0 is directly connected, Loopback0
     172.30.0.0/16 is variably subnetted, 3 subnets, 2 masks
O E1    172.30.20.252/30 [110/11] via 172.30.32.17, 2d00h, Vlan66
C       172.30.32.16/29 is directly connected, Vlan66
O E1    172.30.32.8/29 [110/12] via 172.30.32.17, 00:03:13, Vlan66
Switch#sh ip osp
Switch#sh ip ospf nei
Switch#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address
Interface
172.30.32.17      1   FULL/BDR        00:00:35    172.30.32.17    Vlan66


Switch 2 (Connected to the Inside Interface of the ASA)

Switch#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS
level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static
route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     172.17.0.0/24 is subnetted, 1 subnets
O E1    172.17.36.0 [110/1001] via 172.30.20.253, 00:02:10, Vlan66
     172.30.0.0/16 is variably subnetted, 3 subnets, 2 masks
C       172.30.20.252/30 is directly connected, Vlan66
O E1    172.30.32.16/29 [110/1001] via 172.30.20.253, 00:02:10, Vlan66
C       172.30.32.8/29 is directly connected, Vlan100
Switch#sh ip ospf nei
Switch#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address
Interface
172.30.20.253     1   FULL/BDR        00:00:31    172.30.20.253   Vlan66


ASA (Show Route)

ITE-CW-ASA01# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS
inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

O IA 172.17.36.0 255.255.255.0 [110/11] via 172.30.32.18, 48:12:41,
Outside
C    172.30.20.252 255.255.255.252 is directly connected, Inside
C    172.30.32.16 255.255.255.248 is directly connected, Outside
O    172.30.32.8 255.255.255.248 [110/11] via 172.30.20.254, 0:07:14,
Inside


ASA Partial Running Configuration:

interface GigabitEthernet0/0
 nameif Outside
 security-level 0
 ip address 172.30.32.17 255.255.255.248
!
interface GigabitEthernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
interface Redundant1
 member-interface GigabitEthernet0/1
 member-interface GigabitEthernet0/2
 nameif Inside
 security-level 100
 ip address 172.30.20.253 255.255.255.252

access-list 2 standard permit 172.17.36.0 255.255.255.0
access-list 1 standard permit 172.30.32.16 255.255.255.248
access-list 101 extended permit ip any any

access-group 101 in interface Outside
!
route-map Internet permit 10
 match ip address 1
 set metric 500
 set metric-type type-1
!
route-map CE_Internet permit 10
 match ip address 2
 set metric 350
 set metric-type type-1
!
!
router ospf 99
 router-id 172.20.254.6
 network 172.20.254.0 255.255.255.248 area 0
 log-adj-changes
 redistribute connected metric-type 1 subnets
 redistribute ospf 100 metric 1000 metric-type 1 subnets
 default-information originate route-map CE_Internet
!
router ospf 100
 router-id 172.30.32.9
 network 172.30.32.8 255.255.255.248 area 0
 log-adj-changes
 redistribute connected subnets
 default-information originate route-map Internet
!

I am not sure for the reason the ASA is not able to inject the default routes to the switch. I would appreaciate if anyone could point out what might else might be the issue.

Thanks.
0
Comment
Question by:cwtang
  • 3
  • 3
6 Comments
 
LVL 24

Expert Comment

by:rfc1180
ID: 33491749
I am not sure what it is you are trying to accomplish, I believe you want some type of redundancy for your Internet Connections. Not sure why you are using 2 OSPF processes, really not need for what I think you are trying to accomplish (But then again, you have no questions related to this, so I am assuming you have a reason for the difference process IDs for OSPF).

>I am not sure for the reason the ASA is not able to inject the default routes to the switch
it is because you do not have a default route in your routing table (At least it might if you are only showing us what you want us to see). If there is no default in the routing table of the ASA and you want the ASA to advertise the default regardless if the default is in the table or not, then you should add always:

default-information originate

router ospf 99
 router-id 172.20.254.6
 network 172.20.254.0 255.255.255.248 area 0
 log-adj-changes
 redistribute connected metric-type 1 subnets
 redistribute ospf 100 metric 1000 metric-type 1 subnets
 default-information originate always route-map CE_Internet
!
router ospf 100
 router-id 172.30.32.9
 network 172.30.32.8 255.255.255.248 area 0
 log-adj-changes
 redistribute connected subnets
 default-information originate always route-map Internet

Billy
0
 

Author Comment

by:cwtang
ID: 33493985
Hi,
You are correct that I do wnat to create redundancy. I have tried to make use of the "always" command earlier however I am not able to get the default routes injected into the switch too. However, if i was to remove the route maps and use the "always", the default routes would be injected into the switch.

The reason for the route maps would be to create redundancy and remove the default routes if the requirement is not met. Not sure if the access list is created correctly to match the route map.

Thanks.


0
 
LVL 24

Expert Comment

by:rfc1180
ID: 33494126
Yeah dude, I must be tired. There is something wrong with the ACLs:


access-list 2 standard permit 172.17.36.0 255.255.255.0
access-list 1 standard permit 172.30.32.16 255.255.255.248

They should be:


access-list 2 standard permit 172.17.36.0 0.0.0.255
access-list 1 standard permit 172.30.32.16 0.0.0.7

Billy
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:cwtang
ID: 33494173
Hi,
Not sure if you are aware that the access-list is being applied on Cisco ASA and not Cisco router. I do believe that ASA does not use wild card like ios routers/switch.
0
 
LVL 24

Accepted Solution

by:
rfc1180 earned 500 total points
ID: 33494219
yup, that is right; they would be subnet mask. At any rate, I can not honestly tell you why it is not working with the route-map. I just checked it on a lab it is works fine with your configs, for the exception of the ACL; just forgot that you had an ASA.

Maybe you are running into a bug, as I said, your config works in a lab with 1 router and 2 switches.


Billy
0
 

Author Closing Comment

by:cwtang
ID: 33611868
Hi,
I have created a tac case and cisco has confirmed that the feature is broken.
Thanks for the assistance.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now