It would and there are a few

johnsmunoz · ‎03-24-2017

I have an ASA that is solely being used to attach to AZURE's VPN

If i attach to the inside network and use 10.0.0.13 as the gateway i can get onto the vpn network. I'm trying to add this to our core network but the OSPF routes are not being showing up in the ospf database. Not sure what I'm missing to get the ASA's routes to be advertised.

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 12.156.x.1 255.255.255.224
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.0.0.13 255.255.255.252
ospf cost 10

object-group network AZURE-NET
description Azure Virtual Network
network-object 10.39.0.0 255.255.0.0
object-group network ONPREM-NET
description OnPrem Network
network-object 10.0.0.12 255.255.255.252
access-list AZURE-VPN-ACL extended permit ip object-group ONPREM-NET object-group AZURE-NET

nat (inside,outside) source static ONPREM-NET ONPREM-NET destination static AZURE-NET AZURE-NET

router ospf 1000
router-id 10.0.0.13
network 10.0.0.12 255.255.255.252 area 0
network 10.39.0.0 255.255.0.0 area 0
area 0 range 10.0.0.12 255.255.255.252
area 0 range 10.39.0.0 255.255.0.0
log-adj-changes

From the ASA:

show ospf neighbor

Neighbor ID Pri State Dead Time Address Interface

10.10.0.1 1 FULL/DR 0:00:32 10.0.0.14 inside

From the neighbor router:

6301-CORESWX-1# show ip ospf neighbor

OSPF Neighbor Information

Router ID Pri IP Address NbIfState State QLen Events Status

--------------- --- --------------- --------- -------- ----- ------ ------

10.10.0.2 128 10.0.0.1 DR FULL 0 7 None

10.0.0.13 1 10.0.0.13 BDR FULL 0 6 None

ciscoasa# show ospf database

OSPF Router with ID (10.0.0.13) (Process ID 1000)

Router Link States (Area 0)

Link ID ADV Router Age Seq# Checksum Link count

10.0.0.13 10.0.0.13 325 0x80000042 0x5635 1

10.10.0.1 10.10.0.1 1020 0x80000205 0x8dbc 4

10.10.0.2 10.10.0.2 371 0x8000013a 0xa3eb 2

Net Link States (Area 0)

Link ID ADV Router Age Seq# Checksum

10.0.0.1 10.10.0.2 333 0x80000064 0x236a

10.0.0.14 10.10.0.1 541 0x80000046 0x 995

Summary Net Link States (Area 0)

Link ID ADV Router Age Seq# Checksum

10.10.25.0 10.10.0.2 783 0x80000067 0x 191

10.10.26.0 10.10.0.2 2921 0x80000066 0xf79a

10.80.69.0 10.10.0.2 2771 0x80000066 0xd14f

10.227.114.0 10.10.0.2 2283 0x80000066 0xf8e6

12.156.x.2 10.10.0.2 2621 0x80000066 0x737c

172.32.0.0 10.10.0.2 72 0x80000067 0xc42f

Type-5 AS External Link States

Link ID ADV Router Age Seq# Checksum Tag

0.0.0.0 10.10.0.1 1682 0x800000a6 0xe5fc 0

10.10.0.1 10.10.0.1 1502 0x800001e4 0xe4b4 0

10.10.2.0 10.10.0.1 1502 0x800001e4 0xd8bf 0

10.255.96.0 10.10.0.1 1262 0x800001e4 0x202b 0

ciscoasa# show route

Gateway of last resort is 12.156.x.3 to network 0.0.0.0

O IA 172.32.0.0 255.255.254.0 [110/12] via 10.0.0.14, 2:57:28, inside

O E2 10.10.0.1 255.255.255.255 [110/10] via 10.0.0.14, 2:57:28, inside

O E2 10.10.2.0 255.255.255.0 [110/10] via 10.0.0.14, 2:57:28, inside

O 10.10.0.2 255.255.255.255 [110/11] via 10.0.0.14, 2:57:28, inside

C 10.0.0.12 255.255.255.252 is directly connected, inside

O 10.10.10.0 255.255.255.0 [110/11] via 10.0.0.14, 2:57:28, inside

O 10.0.0.0 255.255.255.252 [110/11] via 10.0.0.14, 2:57:28, inside

O 10.10.11.0 255.255.255.0 [110/11] via 10.0.0.14, 2:57:28, inside

O IA 10.10.25.0 255.255.255.0 [110/12] via 10.0.0.14, 2:57:28, inside

O IA 10.10.26.0 255.255.255.0 [110/12] via 10.0.0.14, 2:57:28, inside

O IA 10.80.69.0 255.255.255.0 [110/12] via 10.0.0.14, 2:57:28, inside

O E2 10.255.96.0 255.255.248.0 [110/10] via 10.0.0.14, 2:57:28, inside

O IA 10.227.114.0 255.255.255.128 [110/12] via 10.0.0.14, 2:57:28, inside

C 12.156.x.2 255.255.255.224 is directly connected, outside

S* 0.0.0.0 0.0.0.0 [1/0] via 12.156.39.33, outside

Jon Marshall · ‎03-24-2017

So you mean there is no route for 10.39.0.0 255.255.0.0 being advertised to the internal network. Is that correct ? If so it is because there is no interface on the ASA with an IP from that range.

The network statement in OSPF does not tell it what networks to advertise, it tells it which interfaces to run OPSF on and then OSPF will advertise the subnet and subnet mask configured on the interface. You don't have this so it won't advertise that subnet.

There are a number of alternatives but can you confirm that the above is the issue.

Jon

johnsmunoz · ‎03-24-2017

Thanks Jon,

That makes sense. 10.39.0.0 is the network on the other side of the VPN tunnel through the ASA. Not a local network attached to an interface. Would it still be possible to use OSPF to point traffic intended for that network?

Jon Marshall · ‎03-24-2017

It would and there are a few alternatives.

You could use a static route either on the core switch pointing to the ASA or on the ASA and redistribute into OSPF. If you put it on the core switch then you would need to track the route but as the firewall is only used for that VPN you may not feel it is worth it. If you add it to the ASA and redistribute you would want to use a filter to make sure only that static was redistributed.

However there is also something called Reverse Route Injection (RRI) on the ASA used for this very purpose which would allow you to advertise the VPN subnet into OSPF. However I have never used it and don't know if it has certain restrictions so can't say for sure it would work but it sounds like that would be the way to go if possible.

Sorry I can't be more specific but at least you should be able to get it working using one of the above suggestions.

Any more queries just let me know.

Jon

ASA not advertising OSPF routes to neighbor