topic OSPF PTP with ASA in Network Security

OSPF PTP with ASA

c.fuller — Mon, 11 Mar 2019 21:21:38 GMT

Hello

I am trying to bring up a L3 PTP between an ASA and a 6500 running IOS. The ASA is in routed mode configured for OSPF. On the ASA I configure the interface to the 6500 with an IP address and define the network type as point-to-point. I add that network to the OSPF process configuration. Likewise on the 6500 I configure the interface as a L3 interface with IP and network type as point-to-point. I add the same /30 network to that OSPF process. I can ping across the /30 both ways but the adjacency is not forming. The ASA debugs show the hello coming from the correct 6500 interface. However the ASA can't find the 6500 interface. The debug indicates "cannot locate nbr x.x.x.x (ip address of 6500 interface).

When I remove the "ospf network point-to-point nonbroadcast" command on the ASA the adjacency does form. However, on the ASA side it's "2way/drother" and on the 6500 side "full". The LSDB's look good. But the 6500 is not injecting the routes advertised from the ASA into the routing table.

Thoughts? I suspect I am missing a concept or simple command. As far as I can tell this is a supported configuration on the ASA. But have not been able to find any point-to-point configuration examples.

Any information is much appreciated.

Thanks

Chuck

OSPF PTP with ASA

c.fuller — Wed, 07 Sep 2011 14:21:04 GMT

Update: I was able to get this to work by removing the network type "point-to-point" from both sides of the /30 layer 3 link. The ASA routes are now showing up in the 6500 routing table.

However, I am still confused as to why I could not get the full adjacency when configuring point-to-point on the interfaces.

It's working now but as a "broadcast" network type. Even though it's physically a point-to-point setup. One link between two devices only.

Any information is appreciated.

Chuck

OSPF PTP with ASA

cadet alain — Thu, 08 Sep 2011 12:01:16 GMT

Hi,

When I remove the "ospf network point-to-point nonbroadcast"

I suppose this is a typo because this network type doesn't exist but point-to-multipoint non broadcast does exist.

I you use this type then you must use unicast for hellos and so enter a neighbour command but if other side is broadcast this can't work.

Normally if you use point-to-point on both ends then you must have an adjacency and get all the routes.

You may have a neighbourship forming if the hello/dead timers are the same but if the network types are not compatible then you won't get the routes and full adjacency.

Regards.

Alain.

OSPF PTP with ASA

c.fuller — Thu, 08 Sep 2011 13:34:05 GMT

On the ASA the "non-broadcast" option is required. When I try to leave it off I get a "command incomplete" message.

There are no other options available so I used "ospf network point-to-point non-broadcast" option.

On the 6500 IOS switch I can simply put in "ip ospf network point-to-point" with no further options. Here the "non-broadcast" option is not available even if I wanted it.

So with the ASA using "ospf network point-to-point nonbroadcast" and the 6500 IOS using "ip ospf network point-to-point" I can't get the adjacency up. Both network types are listed as "POINT-TO-POINT" for each interface.

Any further thougths anyone? Is there a different command on the ASA that doesn't require the non-broadcast option?

Chuck

Here's a doc http://www.cisco

avang2004 — Fri, 13 Mar 2015 14:43:58 GMT

Here's a doc http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/route_ospf.html#52085

You have to specify the neighbor under the OSPF process. Example below:

interface gi0

ip address 192.168.1.2 255.255.255.252

nameif inside

security-level 100

ospf network point-to-point non-broadcast

router ospf 65000

network 192.168.1.0 255.255.255.252 area 0

neighbor 192.168.1.1 interface inside