OSPF between router and ASA over tunnel

John Blakley · ‎10-20-2011

Is it possible to run ospf over an ipsec tunnel between an ASA and a router? I can create tunnel interfaces on the router, but the ASA doesn't support it so I don't think it's possible. I'd be terminating the tunnels between the devices and not through the ASA.

Thanks!

John

HTH, John *** Please rate all useful posts ***

Reza Sharifi · ‎10-20-2011

John,

Here is config example:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml

HTH

John Blakley · ‎10-20-2011

Reza,

That helps. I found another link after posting this that shows how to get GRE tunnels between a router and an ASA, but it doesn't say anything about routing protocols. I'll play with this tomorrow and let you know.

Thanks!

John

HTH, John *** Please rate all useful posts ***

John Blakley · ‎10-21-2011

I can't get the routes across. Here's what I have:

IPsec tunnel configured on the ASA:

crypto map GO 10 match address GO

crypto map GO 10 set peer 12.12.12.1

crypto map GO 10 set transform-set GO

crypto map GO 10 set reverse-route

crypto map GO interface Outside

Tunnel interface on router:

interface Tunnel1

ip address 192.168.1.2 255.255.255.0

ip ospf network point-to-point

tunnel source Serial0/0

tunnel destination 2xx.xx.xx.xx

crypto map Tunnel

The tunnels are up:

dst src state conn-id slot status

12.12.12.1 209.30.236.7 QM_IDLE 1 0 ACTIVE

Here's what I'm attempting. We have an mpls circuit with our provider along with a man connection to our DR site. All of our internet circuits are from the same provider with the exception of one circuit which is a radio connection. I'm wanting to set up a tunnel over the radio link to our DR site in the event of a cable cut outside of our building. As you can see, the tunnels come up, but I can't seem to get any routing protocols over the link. Is there a better way to do this? I thought about creating the tunnels on our 6509 through the ASA and to the DR site, but I'm not sure I want a tunnel terminating into our switch. We run bgp everywhere, so that's why I'm trying to get ospf to work between the ASA since it doesn't support bgp.

Thanks!

John

HTH, John *** Please rate all useful posts ***

Reza Sharifi · ‎10-21-2011

John,

Why can't use static route to accomplish this? If you have static route point to your DR site with a higher admin then your BGP (IBGP-200 EBGP-20) connection then this can be used as a backup link. Also,running a routing ptotocol on your ASA may be an issue with your security people.

HTH

Kishore Chennupati · ‎10-22-2011

john,

You are using ip ospf network point-to-point on the router which stills sends router Multicasts 224.0.0.5 for neighbor discovery. You can't run multicast routing on IPsec tunnels. Only unicast.

can u please try using ip ospf network non-broadcast on the router and also on the ASA outside interface as well.

Also, have the neighbors configured statically as its unicast now

+++++ASA config

interface GigabitEthernet0/0
speed 1000
duplex full
nameif outside
security-level 0
ip address
ospf network point-to-point non-broadcast

+++++ Router

router ospf 10
network y.y.y.y 255.255.255.255 area 0 << your LAN subnets
network 192.168.1.2 0.0.0.0 area 0
log-adj-changes

interface Tunnel1

ip address 192.168.1.2 255.255.255.0

ip ospf network non-broadcast
tunnel source Serial0/0

tunnel destination 2xx.xx.xx.xx

crypto map Tunnel

int se0/0

ip ospf network non-broadcast

The neighbors would fomr very slow as the hellow /hold become 30/120

Give it a try and see how you go

Regards,

Kishore