Solved: RIP not working

imanco671 · ‎10-14-2011

Hello Community,

I have RIP enabled on both ASA and L3 switch,

The ASA and L3 are connected to the 192.168.210.0 network.

ASA ethernet - 192.168.210.222

L3 ethernet - 192.168.210.1

I want to share the 192.168.210.0 and the 192.168.220.0 subnets via RIP.

The 192.168.220.0 is my DMZ. This is connected to the ASA and does not connect to the L3. Traffic has to go through the 192.168.210.0 network inorder to reach the DMZ.

So the gateway of the DMZ is 192.168.210.222

This is my RIP output on my L3:

*******************************************************

router rip

version 2

redistribute static metric 1

no auto-summary

This is my RIP output on my ASA:

*******************************************************

router rip

version 2

no auto-summary

!

Thanks in Advance!

Jon Marshall · ‎10-14-2011

John

Adding network statements is not adding routes, at least not with the IGPs such as RIP/EIGRP/OSPF.

When you add a network statement you are telling the device which interfaces to run RIP on. Once RIP has started to run on those interfaces it will then advertise the subnet + the subnet mask of the interface(s) it is runing on (note only RIPv2 does this not RIPv1). So When you enter

network 192.168.210.0

network 192.168.220.0

on the ASA RIP starts on these interfaces and advertises the subnet/subnet masks out.

But if you don't enable RIP on the L3 switch then those advertisements will just be ignored. So you also need to configure RIP on the L3 switch and add -

network 192.168.210.0

now RIP will start on the L3 switch on the 192.168.210.x interface and will receive the advertisements from the ASA. Note that you don't need to add 192.168.220.0 to the L3 switch because the ASA will advertise this to the L3 switch.

Jon

View solution in original post

Jon Marshall · ‎10-14-2011

John

The next-hop must be available. You need to be able to get to the SonicWall from the L3 switch so until you connect up the 192.168.200.x network and can ping the SonicWall it won't work.

If you are unsure or want to play safe then you can add the statics back to the ASA and then when everything has been connected up you can remove one static route from the ASA and see if the RIP route shows up instead.

Jon

View solution in original post

Jon Marshall · ‎10-14-2011

John

You need to add network statements ie.

L3 switch

=======

router rip

your config +

network 192.168.210.0

ASA

====

router rip

your config +

network 192.168.210.0

network 192.168.220.0

you may also want to make the DMZ interface a passive interface on your ASA to stop RIP being run on the DMZ.

Jon

imanco671 · ‎10-14-2011

Hi Jon,

What is "your config +"

Correct me if im wrong, but I thought if I add the RIP networks to the ASA then the L3 would automatically learn them?

John

Jon Marshall · ‎10-14-2011

Sorry "your config" just means what you already have under the router rip config.

Not sure what you mean by your 2nd question. If you don't have any network statements then RIP doesn't startup on any interfaces so no RIP updates will be sent between the L3 switch and the ASA. You have to tell RIP which interfaces to run on.

Jon

imanco671 · ‎10-14-2011

Jon,

Okay I get you on "your config"

I was thinking that RIP would send the route to the other device using RIP. So if I configured "network 192.168.220.0" on the ASA's RIP, then I would not have to do anything on the L3 switch if RIP was enabled. Sort of syncing of routes between the RIP devices.

I was thinking I could just run the Show Run command on the L3 switch and see that all the routes on the ASA synced together.

So if I add a static route or a route via RIP, then the sync would happen between devices.

My understanding now, is that I have to configure both ASA and L3 with the RIP routes. (adding "network 192.168.210.0 " to both)

Jon Marshall · ‎10-14-2011

John

Adding network statements is not adding routes, at least not with the IGPs such as RIP/EIGRP/OSPF.

When you add a network statement you are telling the device which interfaces to run RIP on. Once RIP has started to run on those interfaces it will then advertise the subnet + the subnet mask of the interface(s) it is runing on (note only RIPv2 does this not RIPv1). So When you enter

network 192.168.210.0

network 192.168.220.0

on the ASA RIP starts on these interfaces and advertises the subnet/subnet masks out.

But if you don't enable RIP on the L3 switch then those advertisements will just be ignored. So you also need to configure RIP on the L3 switch and add -

network 192.168.210.0

now RIP will start on the L3 switch on the 192.168.210.x interface and will receive the advertisements from the ASA. Note that you don't need to add 192.168.220.0 to the L3 switch because the ASA will advertise this to the L3 switch.

Jon

imanco671 · ‎10-14-2011

Hi Jon,

I have added a command into RIP: " passive-interface DMZ " to my ASA

Will this help?

Since my L3 has many interfaces, should I add those to RIP on the L3?

Here are my interfaces on L3:

192.168.210.1

192.168.202.1

10.10.10.1

192.168.200.1

John

Jon Marshall · ‎10-14-2011

John

Yes passive-interface will simply stop any RIP updates being sent on the DMZ. It shouldn't stop the 192.168.220.0/24 network being advertised to the L3 switch.

You will need to have network statements for every interface that you want RIP to run on and hence advertise to the ASA.

Once you have entered these a "sh route" on the ASA should show all these routes.

Jon

imanco671 · ‎10-14-2011

jon,

Sorry to be a pain, but I have added all subnets to my L3 RIP. I did a show route on my ASA and do not see any of the L3 subnets.

John

Jon Marshall · ‎10-14-2011

Okay, no problem.

Can you post the L3 switch config + sh ip route and the ASA config + sh route

Jon

imanco671 · ‎10-14-2011

Hi Jon,

First is my ASA config:

ASA Version 8.0(4)

!

hostname ciscodemo

domain-name ar

enable password U.Tf7HVGT3h encrypted

passwd 2KFQnbNIdIYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 173.xx.xx.66 255.255.255.224

!

interface Ethernet0/1

nameif DMZ

security-level 50

ip address 192.168.220.222 255.255.255.0

!

interface Ethernet0/2

nameif inside

security-level 100

ip address 192.168.210.222 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name a.com

access-list outside_in extended permit tcp any host 173.xxx.xx.70 eq www

access-list nonat extended permit ip 192.168.210.0 255.255.255.0 192.168.220.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 192.168.210.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu DMZ 1500

mtu inside 1500

ip local pool VPNPool 192.168.210.100-192.168.210.150 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-615.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (DMZ) 1 interface

nat (DMZ) 1 192.168.220.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.210.0 255.255.255.0

static (DMZ,outside) 173.xx.xx.70 192.168.220.10 netmask 255.255.255.255

access-group outside_in in interface outside

!

router rip

network 192.168.210.0

network 192.168.220.0

passive-interface DMZ

version 2

no auto-summary

!

route outside 0.0.0.0 0.0.0.0 173.xx.xx.65 1

route inside 192.168.3.0 255.255.255.0 192.168.210.1 1

route inside 192.168.5.0 255.255.255.0 192.168.210.1 1

route inside 192.168.98.0 255.255.255.0 192.168.210.1 1

route inside 192.168.102.0 255.255.255.0 192.168.210.1 1

route inside 192.168.103.0 255.255.255.0 192.168.210.1 1

route inside 192.168.104.0 255.255.255.0 192.168.210.1 1

route inside 192.168.105.0 255.255.255.0 192.168.210.1 1

route inside 192.168.110.0 255.255.255.0 192.168.210.1 1

route inside 192.168.111.0 255.255.255.0 192.168.210.1 1

route inside 192.168.112.0 255.255.255.0 192.168.210.1 1

route inside 192.168.113.0 255.255.255.0 192.168.210.1 1

route inside 192.168.150.0 255.255.255.0 192.168.210.1 1

route inside 192.168.151.0 255.255.255.0 192.168.210.1 1

route inside 192.168.154.0 255.255.255.0 192.168.210.1 1

route inside 192.168.155.0 255.255.255.0 192.168.210.1 1

route inside 192.168.214.0 255.255.255.0 192.168.210.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.210.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto map DMZ_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map DMZ_map interface DMZ

crypto isakmp enable outside

crypto isakmp enable DMZ

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

svc enable

group-policy DMZAccess internal

group-policy DMZAccess attributes

dns-server value 10.10.10.11 10.10.10.22

vpn-tunnel-protocol IPSec svc

default-domain value arisglobal.com

username syn-client4 password dIb97qfm6shciivc encrypted privilege 0

username syn-client4 attributes

vpn-group-policy DMZAccess

username syn-client5 password dIb97qfm6shciivc encrypted privilege 0

username syn-client5 attributes

vpn-group-policy DMZAccess

username syn-client2 password dIb97qfm6shciivc encrypted privilege 0

username syn-client2 attributes

vpn-group-policy DMZAccess

username syn-client3 password dIb97qfm6shciivc encrypted privilege 0

username syn-client3 attributes

vpn-group-policy DMZAccess

username syn-client1 password dIb97qfm6shciivc encrypted privilege 0

username syn-client1 attributes

vpn-group-policy DMZAccess

tunnel-group DMZAccess type remote-access

tunnel-group DMZAccess general-attributes

address-pool VPNPool

default-group-policy DMZAccess

tunnel-group DMZAccess ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

inspect ftp

inspect ipsec-pass-thru

inspect http

inspect pptp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:b8f3163507733aa9b96ac451b006

: end

ciscodemo#

***********************************************************************************************

Here is my L3:

Building configuration...

Current configuration : 3576 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname arouter

!

enable secret 5 $1$.R0k$6P0VyPHU1HNP1xUfw/

enable password

!

no aaa new-model

system mtu routing 1500

ip subnet-zero

ip routing

!

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface FastEthernet0/1

switchport access vlan 2

switchport mode access

spanning-tree portfast

!

interface FastEthernet0/2

switchport access vlan 3

switchport mode access

spanning-tree portfast

!

interface FastEthernet0/3

switchport access vlan 4

switchport mode access

spanning-tree portfast

!

interface FastEthernet0/4

switchport access vlan 5

switchport mode access

spanning-tree portfast

!

interface FastEthernet0/5

!

interface FastEthernet0/6

!

interface FastEthernet0/7

!

interface FastEthernet0/8

!

interface FastEthernet0/9

!

interface FastEthernet0/10

!

interface FastEthernet0/11

!

interface FastEthernet0/12

!

interface FastEthernet0/13

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/14

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/15

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/16

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/17

switchport access vlan 3

switchport mode access

!

interface FastEthernet0/18

switchport access vlan 3

switchport mode access

!

interface FastEthernet0/19

switchport access vlan 3

switchport mode access

!

interface FastEthernet0/20

switchport access vlan 3

switchport mode access

!

interface FastEthernet0/21

switchport access vlan 4

switchport mode access

!

interface FastEthernet0/22

switchport access vlan 4

switchport mode access

!

interface FastEthernet0/23

switchport access vlan 4

switchport mode access

!

interface FastEthernet0/24

switchport access vlan 4

switchport mode access

!

interface GigabitEthernet0/1

!

interface GigabitEthernet0/2

!

interface Vlan1

no ip address

shutdown

!

interface Vlan2

ip address 10.10.10.1 255.255.255.0

!

interface Vlan3

ip address 192.168.202.1 255.255.255.0

!

interface Vlan4

ip address 192.168.200.1 255.255.255.0

!

interface Vlan5

ip address 192.168.210.1 255.255.255.0

!

router rip

version 2

redistribute static metric 1

network 10.0.0.0

network 192.168.200.0

network 192.168.202.0

network 192.168.210.0

no auto-summary

!

ip classless

ip route 192.168.3.0 255.255.255.0 192.168.200.254

ip route 192.168.5.0 255.255.255.0 192.168.200.254

ip route 192.168.98.0 255.255.255.0 192.168.200.254

ip route 192.168.102.0 255.255.255.0 192.168.200.254

ip route 192.168.103.0 255.255.255.0 192.168.200.254

ip route 192.168.104.0 255.255.255.0 192.168.200.254

ip route 192.168.105.0 255.255.255.0 192.168.200.254

ip route 192.168.110.0 255.255.255.0 192.168.200.254

ip route 192.168.111.0 255.255.255.0 192.168.200.254

ip route 192.168.112.0 255.255.255.0 192.168.200.254

ip route 192.168.113.0 255.255.255.0 192.168.200.254

ip route 192.168.150.0 255.255.255.0 192.168.200.254

ip route 192.168.151.0 255.255.255.0 192.168.200.254

ip route 192.168.154.0 255.255.255.0 192.168.200.254

ip route 192.168.155.0 255.255.255.0 192.168.200.254

ip route 192.168.214.0 255.255.255.0 192.168.200.254

ip route 192.168.220.0 255.255.255.0 192.168.210.222

ip http server

!

snmp-server community public RO

!

control-plane

!

line con 0

line vty 0 4

password

login

line vty 5 15

password

login

!

end

Jon Marshall · ‎10-14-2011

John

On the L3 switch you have -

ip route 192.168.220.0 255.255.255.0 192.168.210.222

you shouldn't need this as the ASA should be advertising this.

That shouldn't be the problem though. Can you -

1) confrim what port the firewall is connected into on the L3 switch

2) post "sh ip route" from the L3 switch and "sh route" from the ASA.

Jon

imanco671 · ‎10-14-2011

hi Jon,

I deleted that route, thanks for spotting it.

1. ASA connected to port 0/4 on L3

2.

arouter#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C 192.168.210.0/24 is directly connected, Vlan5

R 192.168.220.0/24 [120/1] via 192.168.210.222, 00:00:13, Vlan5

John

Jon Marshall · ‎10-14-2011

Okay so the L3 switch "sh ip route" is showing the DMZ subnet being learned via RIP.

What about the ASA ?

Jon

imanco671 · ‎10-14-2011

Hi Jon,

ciscodemo(config)# show rip database

192.168.210.0 255.255.255.0 auto-summary

192.168.210.0 255.255.255.0 directly connected, Ethernet0/2

192.168.220.0 255.255.255.0 auto-summary

192.168.220.0 255.255.255.0 directly connected, Ethernet0/1

ciscodemo(config)# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 173.xx.xxx.65 to network 0.0.0.0

S 192.168.104.0 255.255.255.0 [1/0] via 192.168.210.1, inside

S 192.168.151.0 255.255.255.0 [1/0] via 192.168.210.1, inside

S 192.168.105.0 255.255.255.0 [1/0] via 192.168.210.1, inside

C 192.168.210.0 255.255.255.0 is directly connected, inside

S 192.168.210.100 255.255.255.255 [1/0] via 173.xxx.xx.65, outside

S 192.168.150.0 255.255.255.0 [1/0] via 192.168.210.1, inside

S 192.168.110.0 255.255.255.0 [1/0] via 192.168.210.1, inside

S 192.168.111.0 255.255.255.0 [1/0] via 192.168.210.1, inside

C 173.xx.xx.64 255.255.255.224 is directly connected, outside

S 192.168.214.0 255.255.255.0 [1/0] via 192.168.210.1, inside

S 192.168.98.0 255.255.255.0 [1/0] via 192.168.210.1, inside

S 192.168.5.0 255.255.255.0 [1/0] via 192.168.210.1, inside

S 192.168.113.0 255.255.255.0 [1/0] via 192.168.210.1, inside

S 192.168.112.0 255.255.255.0 [1/0] via 192.168.210.1, inside

S 192.168.102.0 255.255.255.0 [1/0] via 192.168.210.1, inside

C 192.168.220.0 255.255.255.0 is directly connected, DMZ

S 192.168.103.0 255.255.255.0 [1/0] via 192.168.210.1, inside

S 192.168.155.0 255.255.255.0 [1/0] via 192.168.210.1, inside

S 192.168.154.0 255.255.255.0 [1/0] via 192.168.210.1, inside

S 192.168.3.0 255.255.255.0 [1/0] via 192.168.210.1, inside

S* 0.0.0.0 0.0.0.0 [1/0] via 173.xx.xxx.65, outside