j.blakley - I have ip routing enabled.

Jon - They are remote networks not connected to the ASA. They are connected to the Sonicwall who does not have OSPF.

1. IThe are setup as static on the sonicwalls. I have a mixed environment, 10.10.10.0 (watchguard) 192.168.200.0 (sonicwall), 192.168.202.0 ( ASA 5510). Then I have an internal router (catalyst)

I would lke to use OSPF between the Catalyst and the ASA. Then the sonicwall and watchguards would stay the same using thier static routes.

yes I have set it up like that, I do not have gateways setup for my VLANs. The ASA eth0/2 will be connected directly to the L3 switch. This is my 192.168.202.0 network. I have assigned ports 17-30 on my L3 switch (without spanning-tree) to connect switches which will feed my servers.

I  definately would like to have the ASA and L3 switch make use of the OSPF protocol and use the routes above. I guess this is where I can add the 192.168.102.0 - 106.0 to OSPF and have both ASA and L3 switch be synced?

Right, just to clarify -

1) you have subnets 10.10.10.0/24, 192.168.200.0/24 and 192.168.202.0/24 being routed on the L3 switch ?

2) your ASA is connected to the L3 switch in the 192.168.202.0 subnet ?

If so running OSPF would be fine but you need to understand that for the routes for the remote networks down the tunnels to be advertised to the L3 switch then you would need static routes on the ASA for these remote networks. Generally speaking you don't need these routes for remote tunnels so i suspect your ASA does not have these routes.

So you would need to add routes for these remote tunnels onto your ASA (if they are not there). Then you need to setup OSPF and redistribute these static routes into OSPF for the L3 switch to receive them.

Obviously if you run OSPF between the switch and ASA then apart from the tunnel networks the ASA would learn of the networks on the L3 switch.

So what is the state of the ASA in terms of routes and do you want add these static routes to the ASA ?

Jon

Jon,

1) you have subnets 10.10.10.0/24, 192.168.200.0/24 and 192.168.202.0/24 being routed on the L3 switch ?

Yes

2) your ASA is connected to the L3 switch in the 192.168.202.0 subnet ?  yes

There are not routes on the ASA besides: route outside 0.0.0.0 .0.0.0.0 173.xxx.xx.65 1

This is for internet traffic.

Yes I would like to add the static routes to the ASA if this is the method to get them to work with OSPF.

So this is my thinking which I am probably wrong:

1. I would first add the routes manually to the ASA (for the tunneled networks).

2. Enable OSPF on the ASA.

3. Import the static routes into OSPF on the ASA.

4. Enable OSPF on the L3 switch.

5. Then all the static routes would seamlessly transfer to the ASA and the L3 VLAN routes would be learned by the ASA.

John

John

Okay, just remembered that to run OSPF/EIGRP your switch must be running IP Services image. If you have IP Base you can only run RIP or use static routes. The config you need is below but first do a "sh version" and it should tell you which feature set you are running.

First add the routes to the ASA. I am assuiming these remote networks are reachable via the outside interface (in a VPN tunnel obviously) ?

ASA config

========

route outside 192.168.102.0 255.255.255.0 173.x.x.65

etc.. for each subnet

router ospf    <-- where process id is just a number

network 192.168.202.0 255.255.255.0 area 0

redistribute static

L3 switch config

============

router ospf    

network 10.10.10.0 0.0.0.255 area 0

network 192.168.200.0 0.0.0.255 area 0

network 192.168.202.0 0.0.0.255 area 0

that's the most basic config. Couple of things -

1) you may want to secure the connection with authentication as it is a firewall but lets get it working first

2) note that on the ASA under the OSPF config you use subnet masks for the network statements but on the L3 switch you use wildcard masks.

Jon

John

What i was saying in previous thread is that to setup OSPF there is hardly any less config than using statics so i was just questioning as to whether you needed it or not.

If you do fine, i can help with config.

Jon

Hi jon,

Its more that I want to learn it, more than that I really need it. I wanted to pick a routing protocol and learn how it works by implementing it.

If I did not want to learn it, then I would just create static routes, which is probably suited for my small network of 3 firewalls and 3 subnets and 5 external routed tunnels. I beleive that OSPF and other routing protocols are really needed if you have many cisco firewalls and switches, so you dont have to login and make a static addition or deletion to every remote router/switch.

I have been learning so much from the entire community and expecially you have tought me so much about cisco networking. I appreciate it very very much!!!

John

Understood. I wasn't trying to put you off just wanted to make it clear you aren't really saving that much on config but only too happy to help you get it all working.

Personally i am a big fan of EIGRP but with your mixed environment OSPF could be a good choice.

Jon

hi Jon,

My tunnel's gateway is 192.168.200.254

So shoudl I alter your command of : 

route outside 192.168.102.0 255.255.255.0 173.x.x.65

to be:

route outside 192.168.102.0 255.255.255.0 192.168.200.254

I just dont understand how it would know to get there. Would it not need the ip address of the 192.168.200.0 vlan?

Jon

Isn't 192.168.200.254 on your network though ?  Are you saying the tunnels are not on the ASA but another firewall ?

What is 192.168.200.254 ?

Jon

Hi Jon,

No the 192.168.200.254 is a sonicall firewall. The tunnels are not on the ASA, but on the Sonicwall.

john

Ahh okay.

I know you want to understand and learn how to set things up but it is not generally recommended to have one device advertising routes for another device in this way.

By all means try it with the routes pointing to the Sonicwall but it is creating more complexity than you need. Certainly if i took over the network i would be confused as to why the ASA was handing out routes that belonged to the Sonicwall. Can the Sonicwall not run OSPF ?

Having said that a compromise may well be to still run OSPF between the L3 switch and the ASA. You still get the benefit of the ASA learning the routes for the subnets that are on the 3560 switch. But then you add static routes to the 3560 for the tunnels pointing to the Sonicwall ?

Jon

jon,

The sonicwall cannot handle OSPF, it is running the lower grade firmware.

okay so you suggest I just add static routes for the tunnels on both the ASA and the L3 switch?

Then we will let OSPF handle the VLANs?

John