cwtang
asked on
Cisco ASA 5500 OSPF Default Route Injection with Route Map
Hi,
I am trying to distribute default route from Cisco ASA 5500 based on route maps matching ip address. From my understanding, as long there is a match in the routing table, a default route would be given out, however I am not able to see it. I have attached the a portion of the running configuration of the Cisco ASA and the show ip routes:
Switch 1 (Connected to the Outside Interface of the ASA)
Switch#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS
level-2
ia - IS-IS inter area, * - candidate default, U - per-user static
route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
172.17.0.0/24 is subnetted, 1 subnets
C 172.17.36.0 is directly connected, Loopback0
172.30.0.0/16 is variably subnetted, 3 subnets, 2 masks
O E1 172.30.20.252/30 [110/11] via 172.30.32.17, 2d00h, Vlan66
C 172.30.32.16/29 is directly connected, Vlan66
O E1 172.30.32.8/29 [110/12] via 172.30.32.17, 00:03:13, Vlan66
Switch#sh ip osp
Switch#sh ip ospf nei
Switch#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address
Interface
172.30.32.17 1 FULL/BDR 00:00:35 172.30.32.17 Vlan66
Switch 2 (Connected to the Inside Interface of the ASA)
Switch#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS
level-2
ia - IS-IS inter area, * - candidate default, U - per-user static
route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
172.17.0.0/24 is subnetted, 1 subnets
O E1 172.17.36.0 [110/1001] via 172.30.20.253, 00:02:10, Vlan66
172.30.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.30.20.252/30 is directly connected, Vlan66
O E1 172.30.32.16/29 [110/1001] via 172.30.20.253, 00:02:10, Vlan66
C 172.30.32.8/29 is directly connected, Vlan100
Switch#sh ip ospf nei
Switch#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address
Interface
172.30.20.253 1 FULL/BDR 00:00:31 172.30.20.253 Vlan66
ASA (Show Route)
ITE-CW-ASA01# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS
inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
O IA 172.17.36.0 255.255.255.0 [110/11] via 172.30.32.18, 48:12:41,
Outside
C 172.30.20.252 255.255.255.252 is directly connected, Inside
C 172.30.32.16 255.255.255.248 is directly connected, Outside
O 172.30.32.8 255.255.255.248 [110/11] via 172.30.20.254, 0:07:14,
Inside
ASA Partial Running Configuration:
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 172.30.32.17 255.255.255.248
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
interface Redundant1
member-interface GigabitEthernet0/1
member-interface GigabitEthernet0/2
nameif Inside
security-level 100
ip address 172.30.20.253 255.255.255.252
access-list 2 standard permit 172.17.36.0 255.255.255.0
access-list 1 standard permit 172.30.32.16 255.255.255.248
access-list 101 extended permit ip any any
access-group 101 in interface Outside
!
route-map Internet permit 10
match ip address 1
set metric 500
set metric-type type-1
!
route-map CE_Internet permit 10
match ip address 2
set metric 350
set metric-type type-1
!
!
router ospf 99
router-id 172.20.254.6
network 172.20.254.0 255.255.255.248 area 0
log-adj-changes
redistribute connected metric-type 1 subnets
redistribute ospf 100 metric 1000 metric-type 1 subnets
default-information originate route-map CE_Internet
!
router ospf 100
router-id 172.30.32.9
network 172.30.32.8 255.255.255.248 area 0
log-adj-changes
redistribute connected subnets
default-information originate route-map Internet
!
I am not sure for the reason the ASA is not able to inject the default routes to the switch. I would appreaciate if anyone could point out what might else might be the issue.
Thanks.
I am trying to distribute default route from Cisco ASA 5500 based on route maps matching ip address. From my understanding, as long there is a match in the routing table, a default route would be given out, however I am not able to see it. I have attached the a portion of the running configuration of the Cisco ASA and the show ip routes:
Switch 1 (Connected to the Outside Interface of the ASA)
Switch#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS
level-2
ia - IS-IS inter area, * - candidate default, U - per-user static
route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
172.17.0.0/24 is subnetted, 1 subnets
C 172.17.36.0 is directly connected, Loopback0
172.30.0.0/16 is variably subnetted, 3 subnets, 2 masks
O E1 172.30.20.252/30 [110/11] via 172.30.32.17, 2d00h, Vlan66
C 172.30.32.16/29 is directly connected, Vlan66
O E1 172.30.32.8/29 [110/12] via 172.30.32.17, 00:03:13, Vlan66
Switch#sh ip osp
Switch#sh ip ospf nei
Switch#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address
Interface
172.30.32.17 1 FULL/BDR 00:00:35 172.30.32.17 Vlan66
Switch 2 (Connected to the Inside Interface of the ASA)
Switch#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS
level-2
ia - IS-IS inter area, * - candidate default, U - per-user static
route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
172.17.0.0/24 is subnetted, 1 subnets
O E1 172.17.36.0 [110/1001] via 172.30.20.253, 00:02:10, Vlan66
172.30.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.30.20.252/30 is directly connected, Vlan66
O E1 172.30.32.16/29 [110/1001] via 172.30.20.253, 00:02:10, Vlan66
C 172.30.32.8/29 is directly connected, Vlan100
Switch#sh ip ospf nei
Switch#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address
Interface
172.30.20.253 1 FULL/BDR 00:00:31 172.30.20.253 Vlan66
ASA (Show Route)
ITE-CW-ASA01# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS
inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
O IA 172.17.36.0 255.255.255.0 [110/11] via 172.30.32.18, 48:12:41,
Outside
C 172.30.20.252 255.255.255.252 is directly connected, Inside
C 172.30.32.16 255.255.255.248 is directly connected, Outside
O 172.30.32.8 255.255.255.248 [110/11] via 172.30.20.254, 0:07:14,
Inside
ASA Partial Running Configuration:
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 172.30.32.17 255.255.255.248
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
interface Redundant1
member-interface GigabitEthernet0/1
member-interface GigabitEthernet0/2
nameif Inside
security-level 100
ip address 172.30.20.253 255.255.255.252
access-list 2 standard permit 172.17.36.0 255.255.255.0
access-list 1 standard permit 172.30.32.16 255.255.255.248
access-list 101 extended permit ip any any
access-group 101 in interface Outside
!
route-map Internet permit 10
match ip address 1
set metric 500
set metric-type type-1
!
route-map CE_Internet permit 10
match ip address 2
set metric 350
set metric-type type-1
!
!
router ospf 99
router-id 172.20.254.6
network 172.20.254.0 255.255.255.248 area 0
log-adj-changes
redistribute connected metric-type 1 subnets
redistribute ospf 100 metric 1000 metric-type 1 subnets
default-information originate route-map CE_Internet
!
router ospf 100
router-id 172.30.32.9
network 172.30.32.8 255.255.255.248 area 0
log-adj-changes
redistribute connected subnets
default-information originate route-map Internet
!
I am not sure for the reason the ASA is not able to inject the default routes to the switch. I would appreaciate if anyone could point out what might else might be the issue.
Thanks.
ASKER
Hi,
You are correct that I do wnat to create redundancy. I have tried to make use of the "always" command earlier however I am not able to get the default routes injected into the switch too. However, if i was to remove the route maps and use the "always", the default routes would be injected into the switch.
The reason for the route maps would be to create redundancy and remove the default routes if the requirement is not met. Not sure if the access list is created correctly to match the route map.
Thanks.
You are correct that I do wnat to create redundancy. I have tried to make use of the "always" command earlier however I am not able to get the default routes injected into the switch too. However, if i was to remove the route maps and use the "always", the default routes would be injected into the switch.
The reason for the route maps would be to create redundancy and remove the default routes if the requirement is not met. Not sure if the access list is created correctly to match the route map.
Thanks.
Yeah dude, I must be tired. There is something wrong with the ACLs:
access-list 2 standard permit 172.17.36.0 255.255.255.0
access-list 1 standard permit 172.30.32.16 255.255.255.248
They should be:
access-list 2 standard permit 172.17.36.0 0.0.0.255
access-list 1 standard permit 172.30.32.16 0.0.0.7
Billy
access-list 2 standard permit 172.17.36.0 255.255.255.0
access-list 1 standard permit 172.30.32.16 255.255.255.248
They should be:
access-list 2 standard permit 172.17.36.0 0.0.0.255
access-list 1 standard permit 172.30.32.16 0.0.0.7
Billy
ASKER
Hi,
Not sure if you are aware that the access-list is being applied on Cisco ASA and not Cisco router. I do believe that ASA does not use wild card like ios routers/switch.
Not sure if you are aware that the access-list is being applied on Cisco ASA and not Cisco router. I do believe that ASA does not use wild card like ios routers/switch.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi,
I have created a tac case and cisco has confirmed that the feature is broken.
Thanks for the assistance.
I have created a tac case and cisco has confirmed that the feature is broken.
Thanks for the assistance.
>I am not sure for the reason the ASA is not able to inject the default routes to the switch
it is because you do not have a default route in your routing table (At least it might if you are only showing us what you want us to see). If there is no default in the routing table of the ASA and you want the ASA to advertise the default regardless if the default is in the table or not, then you should add always:
default-information originate
router ospf 99
router-id 172.20.254.6
network 172.20.254.0 255.255.255.248 area 0
log-adj-changes
redistribute connected metric-type 1 subnets
redistribute ospf 100 metric 1000 metric-type 1 subnets
default-information originate always route-map CE_Internet
!
router ospf 100
router-id 172.30.32.9
network 172.30.32.8 255.255.255.248 area 0
log-adj-changes
redistribute connected subnets
default-information originate always route-map Internet
Billy