ospf network advertising

Hi...


i have a cisco ASA firewall configure with OSPF for MPLS routing.
behind my firewall is given subnet 192.168.1.0/24 and it subnetted to /26 for 4 VLAN at datacenter

after configured, i can PING my VLAN1 which is connected with firewall.
from end users core switch, they can see my VLAN 1 subnet /26 appear at their routing table.
But, they can't reach other tree.

found that there is not ruoting table for other 3 subnets.

how i can force the advertising for remaining 3..? can i just publish /26 for 4 VLAN  or i can do in /24?

pls advise.
hell_angelEngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Craig BeckCommented:
If the other 3 /26 networks are routed via the same router you can advertise the /24.

The router at the DC should be routing all 4 /26 networks, right?  So in OSPF on the DC router you need something like...

router ospf 1
 network 192.168.1.0 0.0.0.255 area 0
0
hell_angelEngineerAuthor Commented:
sorry... may device for OSPF is Cisco ASA firewall.
how should i do that?

or should i configure my core switch as OSPF as well, so it will publish all connected vlan subnet to my ASA?
0
Craig BeckCommented:
Does your ASA have a default route?
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

hell_angelEngineerAuthor Commented:
got. it goest to internet

my firewall has 3 interface.

eth0-inside (server farm)

eth1 - inside (mpls users at outside datacenter

eth2 - outside (internet)
0
Craig BeckCommented:
So can you show the routing table for the ASA, and the OSPF config you already have?
0
hell_angelEngineerAuthor Commented:
do you want to have my routing table?
0
Craig BeckCommented:
Yes - the ASA has a routing table.  Can I see it, and the OSPF config from the ASA?
0
hell_angelEngineerAuthor Commented:
there is alot confidential information that i not convenience to post here. any specific part that you want me to extract?
0
Craig BeckCommented:
Yes just the routing table (excluding any public IP addresses) and the OSPF configuration commands.
0
hell_angelEngineerAuthor Commented:
Hi... below is the routing table that related to my case. the actual used ip is 10.32.60.0/24 is my inside which subnetted to /26

------------------------------------------------------------------------------------------
S    10.32.60.0 255.255.255.192 [1/0] via 10.32.60.193, Inside
C    10.32.30.40 255.255.255.248 is directly connected, Inside-MPLS
                               [110/1] via 10.32.30.42, 2:20:44, Inside-MPLS
O E2 10.18.14.104 255.255.255.252
           [110/1] via 10.32.30.41, 2:20:44, Inside-MPLS
           [110/1] via 10.32.30.42, 2:20:44, Inside-MPLS
O E2 10.18.14.132 255.255.255.252
           [110/1] via 10.32.30.41, 2:20:44, Inside-MPLS
           [110/1] via 10.32.30.42, 2:20:44, Inside-MPLS
S    10.32.60.128 255.255.255.192 [1/0] via 10.32.60.193, Inside
O E2 10.18.14.136 255.255.255.252
           [110/1] via 10.32.30.41, 2:20:44, Inside-MPLS
           [110/1] via 10.32.30.42, 2:20:44, Inside-MPLS
O E2 10.18.14.196 255.255.255.252
C    10.32.60.192 255.255.255.192 is directly connected, Inside
S    10.32.60.64 255.255.255.192 [1/0] via 10.32.60.193, Inside
S    10.32.60.128 255.255.255.192 [1/0] via 10.32.60.193, Inside
----------------------------------------------------------------------------------------------
My OSPF configuration as below..

------------------------------------------------------
router ospf 313
router-id 10.32.30.46
network 10.32.30.40 255.255.255.248 area 100
network 10.32.60.0 255.255.255.192 area 100
network 10.32.60.64 255.255.255.192 area 100
network 10.32.60.128 255.255.255.192 area 100
network 10.32.60.192 255.255.255.192 area 100
network 10.32.60.0 255.255.255.0 area 100
area 100 authentication
------------------------------------------------

i had a static route at ASA for return route to my inside VLANs.
Tried to use redistribut connected, no help.

thanks
0
Craig BeckCommented:
I'm wondering why if this is a branch (or stub) you have this...

S    10.32.60.0 255.255.255.192 [1/0] via 10.32.60.193, Inside
S    10.32.60.128 255.255.255.192 [1/0] via 10.32.60
S    10.32.60.64 255.255.255.192 [1/0] via 10.32.60.193, Inside
S    10.32.60.128 255.255.255.192 [1/0] via 10.32.60.193, Inside.193, Inside


Surely you should get to the other 3 sites via the MPLS?
0
hell_angelEngineerAuthor Commented:
the remote is BGP.
from show IP route, it only appear that subnet belongs to my ASA inside subnet..
0
Craig BeckCommented:
So why are the above routes reachable via the inside interface, and not the MPLS interface?
0
hell_angelEngineerAuthor Commented:
those are to have return route back to my core switch for those vlans.
0
Craig BeckCommented:
Ok can you give a diagram of how all sites are connected and show subnets for each site?
0
hell_angelEngineerAuthor Commented:
hi craigbeck,

sorry for the late response as stuck with some other issue.
I will attach the diagram soonest possible.

thanks again
0
hell_angelEngineerAuthor Commented:
appologize for the late reply...
attached is the diagram for the infra.
issue.jpg
0
Craig BeckCommented:
Your diagram doesn't match the OP...

Anyhow, you need a static route for the 192.168 networks pointing to the IP of the L3 switch, then you need to redistribute static routes into OSPF on the ASA.
0
hell_angelEngineerAuthor Commented:
sorry... cant catch it... can you explain more on this "you need a static route for the 192.168 networks pointing to the IP of the L3 switch"

at firewall OSPF, I should redistribute the subnet in custom net mask right
0
Craig BeckCommented:
If you want the users LAN to be able to see the 192.168 networks on the other side of the ASA you need to add a static route for each subnet on the ASA, and also add a route to the users subnets to the server farm L3 switch.

I'd need a bit more detail on what IP addresses you have on each interface of the ASA and L3 switches, but on the ASA you need something like (in addition to what you have already):

router ospf 313
 redistribute static subnets
!
route Inside 192.168.30.0 255.255.255.0 <IPOFL3SWITCH>
route Inside 192.168.40.0 255.255.255.0 <IPOFL3SWITCH>
route Inside 192.168.50.0 255.255.255.0 <IPOFL3SWITCH>



On the Server L3 switch:

ip route 172.16.10.0 255.255.0.0 <IPOFASAINSIDE>
ip route 172.16.20.0 255.255.0.0 <IPOFASAINSIDE>



Or, just use EIGRP between the ASA and the server L3 switch.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
hell_angelEngineerAuthor Commented:
route Inside 192.168.30.0 255.255.255.0 <IPOFL3SWITCH>
route Inside 192.168.40.0 255.255.255.0 <IPOFL3SWITCH>
route Inside 192.168.50.0 255.255.255.0 <IPOFL3SWITCH>

this the layer 3 mentioned is at users end or server end?

i will draft you a new diagram again.
0
Craig BeckCommented:
Server end.
0
hell_angelEngineerAuthor Commented:
Hi Craigbeck

pls refer to updated diagram. can i say that  i should add below to my firewall OSPF route?

route Inside 10.32.60.0 255.255.255.192 10.32.60.1
route Inside 10.32.60.32 255.255.255.192 10.32.60.1
route Inside 10.32.60.64 255.255.255.192 10.32.60.1

does it meant from my end users core switch, they will see those subnet published to their core switch?
the command is already configured at the ASA to provide return route traffic to core switch


thanks
issue.jpg
0
hell_angelEngineerAuthor Commented:
hi.. we already have a default route to ASA interface.
the subnet we assigned is any.

do you meant we still need to assign..?
ip route 172.16.10.0 255.255.0.0 <IPOFASAINSIDE>
ip route 172.16.20.0 255.255.0.0 <IPOFASAINSIDE>
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Protocols

From novice to tech pro — start learning today.