Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cisco ASA 5500 OSPF Default Route Injection with Route Map

Posted on 2010-08-21
6
Medium Priority
?
2,387 Views
Last Modified: 2012-05-10
Hi,
I am trying to distribute default route from Cisco ASA 5500 based on route maps matching ip address. From my understanding, as long there is a match in the routing table, a default route would be given out, however I am not able to see it. I have attached the a portion of the running configuration of the Cisco ASA and the show ip routes:

Switch 1 (Connected to the Outside Interface of the ASA)

Switch#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS
level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static
route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     172.17.0.0/24 is subnetted, 1 subnets
C       172.17.36.0 is directly connected, Loopback0
     172.30.0.0/16 is variably subnetted, 3 subnets, 2 masks
O E1    172.30.20.252/30 [110/11] via 172.30.32.17, 2d00h, Vlan66
C       172.30.32.16/29 is directly connected, Vlan66
O E1    172.30.32.8/29 [110/12] via 172.30.32.17, 00:03:13, Vlan66
Switch#sh ip osp
Switch#sh ip ospf nei
Switch#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address
Interface
172.30.32.17      1   FULL/BDR        00:00:35    172.30.32.17    Vlan66


Switch 2 (Connected to the Inside Interface of the ASA)

Switch#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS
level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static
route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     172.17.0.0/24 is subnetted, 1 subnets
O E1    172.17.36.0 [110/1001] via 172.30.20.253, 00:02:10, Vlan66
     172.30.0.0/16 is variably subnetted, 3 subnets, 2 masks
C       172.30.20.252/30 is directly connected, Vlan66
O E1    172.30.32.16/29 [110/1001] via 172.30.20.253, 00:02:10, Vlan66
C       172.30.32.8/29 is directly connected, Vlan100
Switch#sh ip ospf nei
Switch#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address
Interface
172.30.20.253     1   FULL/BDR        00:00:31    172.30.20.253   Vlan66


ASA (Show Route)

ITE-CW-ASA01# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS
inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

O IA 172.17.36.0 255.255.255.0 [110/11] via 172.30.32.18, 48:12:41,
Outside
C    172.30.20.252 255.255.255.252 is directly connected, Inside
C    172.30.32.16 255.255.255.248 is directly connected, Outside
O    172.30.32.8 255.255.255.248 [110/11] via 172.30.20.254, 0:07:14,
Inside


ASA Partial Running Configuration:

interface GigabitEthernet0/0
 nameif Outside
 security-level 0
 ip address 172.30.32.17 255.255.255.248
!
interface GigabitEthernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
interface Redundant1
 member-interface GigabitEthernet0/1
 member-interface GigabitEthernet0/2
 nameif Inside
 security-level 100
 ip address 172.30.20.253 255.255.255.252

access-list 2 standard permit 172.17.36.0 255.255.255.0
access-list 1 standard permit 172.30.32.16 255.255.255.248
access-list 101 extended permit ip any any

access-group 101 in interface Outside
!
route-map Internet permit 10
 match ip address 1
 set metric 500
 set metric-type type-1
!
route-map CE_Internet permit 10
 match ip address 2
 set metric 350
 set metric-type type-1
!
!
router ospf 99
 router-id 172.20.254.6
 network 172.20.254.0 255.255.255.248 area 0
 log-adj-changes
 redistribute connected metric-type 1 subnets
 redistribute ospf 100 metric 1000 metric-type 1 subnets
 default-information originate route-map CE_Internet
!
router ospf 100
 router-id 172.30.32.9
 network 172.30.32.8 255.255.255.248 area 0
 log-adj-changes
 redistribute connected subnets
 default-information originate route-map Internet
!

I am not sure for the reason the ASA is not able to inject the default routes to the switch. I would appreaciate if anyone could point out what might else might be the issue.

Thanks.
0
Comment
Question by:cwtang
  • 3
  • 3
6 Comments
 
LVL 24

Expert Comment

by:rfc1180
ID: 33491749
I am not sure what it is you are trying to accomplish, I believe you want some type of redundancy for your Internet Connections. Not sure why you are using 2 OSPF processes, really not need for what I think you are trying to accomplish (But then again, you have no questions related to this, so I am assuming you have a reason for the difference process IDs for OSPF).

>I am not sure for the reason the ASA is not able to inject the default routes to the switch
it is because you do not have a default route in your routing table (At least it might if you are only showing us what you want us to see). If there is no default in the routing table of the ASA and you want the ASA to advertise the default regardless if the default is in the table or not, then you should add always:

default-information originate

router ospf 99
 router-id 172.20.254.6
 network 172.20.254.0 255.255.255.248 area 0
 log-adj-changes
 redistribute connected metric-type 1 subnets
 redistribute ospf 100 metric 1000 metric-type 1 subnets
 default-information originate always route-map CE_Internet
!
router ospf 100
 router-id 172.30.32.9
 network 172.30.32.8 255.255.255.248 area 0
 log-adj-changes
 redistribute connected subnets
 default-information originate always route-map Internet

Billy
0
 

Author Comment

by:cwtang
ID: 33493985
Hi,
You are correct that I do wnat to create redundancy. I have tried to make use of the "always" command earlier however I am not able to get the default routes injected into the switch too. However, if i was to remove the route maps and use the "always", the default routes would be injected into the switch.

The reason for the route maps would be to create redundancy and remove the default routes if the requirement is not met. Not sure if the access list is created correctly to match the route map.

Thanks.


0
 
LVL 24

Expert Comment

by:rfc1180
ID: 33494126
Yeah dude, I must be tired. There is something wrong with the ACLs:


access-list 2 standard permit 172.17.36.0 255.255.255.0
access-list 1 standard permit 172.30.32.16 255.255.255.248

They should be:


access-list 2 standard permit 172.17.36.0 0.0.0.255
access-list 1 standard permit 172.30.32.16 0.0.0.7

Billy
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 

Author Comment

by:cwtang
ID: 33494173
Hi,
Not sure if you are aware that the access-list is being applied on Cisco ASA and not Cisco router. I do believe that ASA does not use wild card like ios routers/switch.
0
 
LVL 24

Accepted Solution

by:
rfc1180 earned 1500 total points
ID: 33494219
yup, that is right; they would be subnet mask. At any rate, I can not honestly tell you why it is not working with the route-map. I just checked it on a lab it is works fine with your configs, for the exception of the ACL; just forgot that you had an ASA.

Maybe you are running into a bug, as I said, your config works in a lab with 1 router and 2 switches.


Billy
0
 

Author Closing Comment

by:cwtang
ID: 33611868
Hi,
I have created a tac case and cisco has confirmed that the feature is broken.
Thanks for the assistance.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question