04-10-2022 05:47 AM - last edited on 04-23-2022 02:49 AM by Translator
Dear ALL,
I'm setting up the the two tier firewall architecture( internet facing firewall is fortinet and the second tier firewall is cisco FTD), i received the default route 0.0.0.0 0.0.0.0 from fortinet firewall via eBGP(fortinet(ASN:64520) and cisco(ASN:64450) is using EBGP connection), I had created the route-map in OSPF redistribution for default route, but i can't receive it from the internal switch.
Anyone can help?
Network Diagram
Fortinet(ASN:64520)->eBGP<-Cisco FTD(ASN:64450)->OSPF<-Cisco C3750E
Thanks.
Support
Solved! Go to Solution.
04-10-2022 10:08 AM - last edited on 04-23-2022 02:57 AM by Translator
Hello
The fortinet has no bearing on using the ospf default originate within the ospf stanza
fortinet to asa = bgp
asa to switch = ospf
So the default originate should work providing the default route from bgp is in the asa rib table
Note: using the
always
keyword will bypass this condition
04-10-2022 06:06 AM - edited 04-10-2022 06:13 AM
Hello
instead of redistributing the received ebgp default advertise it into ospf withdefault originate
04-10-2022 08:37 AM - last edited on 04-23-2022 02:50 AM by Translator
i can't use the
default originate (default-information originate)
it is because the fortinet no announce the 0.0.0.0 0.0.0.0 , the routing default routing will learn the other site via OSPF.
04-10-2022 08:11 AM
Try redistributing without the route map to narrow down where the problem is.
Jon
04-10-2022 08:42 AM - last edited on 04-23-2022 02:52 AM by Translator
04-10-2022 09:12 AM
Just to confirm -
you are definitely receiving the default route from the Fortinet and it is in the routing table on the ASA ?
on the switch it is not in the routing table, but is it in the OSPF database ?
Jon
04-10-2022 09:18 AM
you are definitely receiving the default route from the Fortinet and it is in the routing table on the ASA ?
ACME: Yes, i can see the default route on the FTD routing table.
on the switch it is not in the routing table, but is it in the OSPF database ?
ACME: Yes, only the default routing not in the routing table, other prefix is received.
04-10-2022 09:22 AM
Sorry that last bit -
so the switch is receiving the default route but it is only in the OSPF database ?
other prefixes are received, is that prefixes redistributed from BGP on the ASA ?
Jon
04-10-2022 09:27 AM
so the switch is receiving the default route but it is only in the OSPF database ?
ACME: May i know how to check it?
other prefixes are received, is that prefixes redistributed from BGP on the ASA ?
ACME: Yes.
04-10-2022 09:33 AM
04-10-2022 09:42 AM - last edited on 04-23-2022 02:54 AM by Translator
In your original post you said the Fortinet was receiving the default route via EBGP and that the ASA was running EBGP as well.
When Paul suggested using
default-information originate
in OSPF you said you couldn't because the Fortinet was not announcing the default route.
So is the ASA receiving the default route from the Fortinet or not ?
If it is then use
default-information originate
as Paul suggested and if it isn't can you explain what the BGP configuration is for ?
Jon
04-10-2022 09:53 AM - last edited on 04-23-2022 02:55 AM by Translator
When Paul suggested using
default-information originate
in OSPF you said you couldn't because the Fortinet was not announcing the default route.
ACME: The fortinet is generate the default routing to the ASA, if the fortinet found the internet down, it will not generate the default route to ASA.
So is the ASA receiving the default route from the Fortinet or not ?
ACME: Yes.
If it is then use
default-information originate
as Paul suggested and if it isn't can you explain what the BGP configuration is for ?
ACME: i cant use the
default-information originate
it is because i have two site, if the site A internet down , the default route are learn from site B via the OSPF. If I use the
default-information originate
it will get the looping issue.
04-10-2022 10:02 AM - last edited on 04-23-2022 02:56 AM by Translator
If you use
default-information originate
and the default route from Fortinet stops being received then the default route is no longer advertised into OSPF.
It would only keep being advertised if you used the
always
keyword in the command.
Would this not work for you ?
Jon
04-10-2022 10:08 AM - last edited on 04-23-2022 02:57 AM by Translator
Hello
The fortinet has no bearing on using the ospf default originate within the ospf stanza
fortinet to asa = bgp
asa to switch = ospf
So the default originate should work providing the default route from bgp is in the asa rib table
Note: using the
always
keyword will bypass this condition
04-10-2022 10:31 AM
it seems work, i 'm doing the verification.
thanks paul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide