Solved

Cisco ASA 5500 OSPF Default Route Injection with Route Map

Posted on 2010-08-21
6
2,288 Views
Last Modified: 2012-05-10
Hi,
I am trying to distribute default route from Cisco ASA 5500 based on route maps matching ip address. From my understanding, as long there is a match in the routing table, a default route would be given out, however I am not able to see it. I have attached the a portion of the running configuration of the Cisco ASA and the show ip routes:

Switch 1 (Connected to the Outside Interface of the ASA)

Switch#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS
level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static
route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     172.17.0.0/24 is subnetted, 1 subnets
C       172.17.36.0 is directly connected, Loopback0
     172.30.0.0/16 is variably subnetted, 3 subnets, 2 masks
O E1    172.30.20.252/30 [110/11] via 172.30.32.17, 2d00h, Vlan66
C       172.30.32.16/29 is directly connected, Vlan66
O E1    172.30.32.8/29 [110/12] via 172.30.32.17, 00:03:13, Vlan66
Switch#sh ip osp
Switch#sh ip ospf nei
Switch#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address
Interface
172.30.32.17      1   FULL/BDR        00:00:35    172.30.32.17    Vlan66


Switch 2 (Connected to the Inside Interface of the ASA)

Switch#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS
level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static
route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     172.17.0.0/24 is subnetted, 1 subnets
O E1    172.17.36.0 [110/1001] via 172.30.20.253, 00:02:10, Vlan66
     172.30.0.0/16 is variably subnetted, 3 subnets, 2 masks
C       172.30.20.252/30 is directly connected, Vlan66
O E1    172.30.32.16/29 [110/1001] via 172.30.20.253, 00:02:10, Vlan66
C       172.30.32.8/29 is directly connected, Vlan100
Switch#sh ip ospf nei
Switch#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address
Interface
172.30.20.253     1   FULL/BDR        00:00:31    172.30.20.253   Vlan66


ASA (Show Route)

ITE-CW-ASA01# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS
inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

O IA 172.17.36.0 255.255.255.0 [110/11] via 172.30.32.18, 48:12:41,
Outside
C    172.30.20.252 255.255.255.252 is directly connected, Inside
C    172.30.32.16 255.255.255.248 is directly connected, Outside
O    172.30.32.8 255.255.255.248 [110/11] via 172.30.20.254, 0:07:14,
Inside


ASA Partial Running Configuration:

interface GigabitEthernet0/0
 nameif Outside
 security-level 0
 ip address 172.30.32.17 255.255.255.248
!
interface GigabitEthernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
interface Redundant1
 member-interface GigabitEthernet0/1
 member-interface GigabitEthernet0/2
 nameif Inside
 security-level 100
 ip address 172.30.20.253 255.255.255.252

access-list 2 standard permit 172.17.36.0 255.255.255.0
access-list 1 standard permit 172.30.32.16 255.255.255.248
access-list 101 extended permit ip any any

access-group 101 in interface Outside
!
route-map Internet permit 10
 match ip address 1
 set metric 500
 set metric-type type-1
!
route-map CE_Internet permit 10
 match ip address 2
 set metric 350
 set metric-type type-1
!
!
router ospf 99
 router-id 172.20.254.6
 network 172.20.254.0 255.255.255.248 area 0
 log-adj-changes
 redistribute connected metric-type 1 subnets
 redistribute ospf 100 metric 1000 metric-type 1 subnets
 default-information originate route-map CE_Internet
!
router ospf 100
 router-id 172.30.32.9
 network 172.30.32.8 255.255.255.248 area 0
 log-adj-changes
 redistribute connected subnets
 default-information originate route-map Internet
!

I am not sure for the reason the ASA is not able to inject the default routes to the switch. I would appreaciate if anyone could point out what might else might be the issue.

Thanks.
0
Comment
Question by:cwtang
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 24

Expert Comment

by:rfc1180
ID: 33491749
I am not sure what it is you are trying to accomplish, I believe you want some type of redundancy for your Internet Connections. Not sure why you are using 2 OSPF processes, really not need for what I think you are trying to accomplish (But then again, you have no questions related to this, so I am assuming you have a reason for the difference process IDs for OSPF).

>I am not sure for the reason the ASA is not able to inject the default routes to the switch
it is because you do not have a default route in your routing table (At least it might if you are only showing us what you want us to see). If there is no default in the routing table of the ASA and you want the ASA to advertise the default regardless if the default is in the table or not, then you should add always:

default-information originate

router ospf 99
 router-id 172.20.254.6
 network 172.20.254.0 255.255.255.248 area 0
 log-adj-changes
 redistribute connected metric-type 1 subnets
 redistribute ospf 100 metric 1000 metric-type 1 subnets
 default-information originate always route-map CE_Internet
!
router ospf 100
 router-id 172.30.32.9
 network 172.30.32.8 255.255.255.248 area 0
 log-adj-changes
 redistribute connected subnets
 default-information originate always route-map Internet

Billy
0
 

Author Comment

by:cwtang
ID: 33493985
Hi,
You are correct that I do wnat to create redundancy. I have tried to make use of the "always" command earlier however I am not able to get the default routes injected into the switch too. However, if i was to remove the route maps and use the "always", the default routes would be injected into the switch.

The reason for the route maps would be to create redundancy and remove the default routes if the requirement is not met. Not sure if the access list is created correctly to match the route map.

Thanks.


0
 
LVL 24

Expert Comment

by:rfc1180
ID: 33494126
Yeah dude, I must be tired. There is something wrong with the ACLs:


access-list 2 standard permit 172.17.36.0 255.255.255.0
access-list 1 standard permit 172.30.32.16 255.255.255.248

They should be:


access-list 2 standard permit 172.17.36.0 0.0.0.255
access-list 1 standard permit 172.30.32.16 0.0.0.7

Billy
0
Turn Insights into Action

Communication across every corner of your business is essential to increase the velocity of your application delivery and support pipeline. Automate, standardize, and contextualize your communication processes with xMatters.

 

Author Comment

by:cwtang
ID: 33494173
Hi,
Not sure if you are aware that the access-list is being applied on Cisco ASA and not Cisco router. I do believe that ASA does not use wild card like ios routers/switch.
0
 
LVL 24

Accepted Solution

by:
rfc1180 earned 500 total points
ID: 33494219
yup, that is right; they would be subnet mask. At any rate, I can not honestly tell you why it is not working with the route-map. I just checked it on a lab it is works fine with your configs, for the exception of the ACL; just forgot that you had an ASA.

Maybe you are running into a bug, as I said, your config works in a lab with 1 router and 2 switches.


Billy
0
 

Author Closing Comment

by:cwtang
ID: 33611868
Hi,
I have created a tac case and cisco has confirmed that the feature is broken.
Thanks for the assistance.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question