03-24-2017 10:14 AM - edited 03-08-2019 09:54 AM
I have an ASA that is solely being used to attach to AZURE's VPN
If i attach to the inside network and use 10.0.0.13 as the gateway i can get onto the vpn network. I'm trying to add this to our core network but the OSPF routes are not being showing up in the ospf database. Not sure what I'm missing to get the ASA's routes to be advertised.
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 12.156.x.1 255.255.255.224
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.0.0.13 255.255.255.252
ospf cost 10
object-group network AZURE-NET
description Azure Virtual Network
network-object 10.39.0.0 255.255.0.0
object-group network ONPREM-NET
description OnPrem Network
network-object 10.0.0.12 255.255.255.252
access-list AZURE-VPN-ACL extended permit ip object-group ONPREM-NET object-group AZURE-NET
nat (inside,outside) source static ONPREM-NET ONPREM-NET destination static AZURE-NET AZURE-NET
router ospf 1000
router-id 10.0.0.13
network 10.0.0.12 255.255.255.252 area 0
network 10.39.0.0 255.255.0.0 area 0
area 0 range 10.0.0.12 255.255.255.252
area 0 range 10.39.0.0 255.255.0.0
log-adj-changes
From the ASA:
show ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
10.10.0.1 1 FULL/DR 0:00:32 10.0.0.14 inside
From the neighbor router:
6301-CORESWX-1# show ip ospf neighbor
OSPF Neighbor Information
Router ID Pri IP Address NbIfState State QLen Events Status
--------------- --- --------------- --------- -------- ----- ------ ------
10.10.0.2 128 10.0.0.1 DR FULL 0 7 None
10.0.0.13 1 10.0.0.13 BDR FULL 0 6 None
ciscoasa# show ospf database
OSPF Router with ID (10.0.0.13) (Process ID 1000)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
10.0.0.13 10.0.0.13 325 0x80000042 0x5635 1
10.10.0.1 10.10.0.1 1020 0x80000205 0x8dbc 4
10.10.0.2 10.10.0.2 371 0x8000013a 0xa3eb 2
Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
10.0.0.1 10.10.0.2 333 0x80000064 0x236a
10.0.0.14 10.10.0.1 541 0x80000046 0x 995
Summary Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
10.10.25.0 10.10.0.2 783 0x80000067 0x 191
10.10.26.0 10.10.0.2 2921 0x80000066 0xf79a
10.80.69.0 10.10.0.2 2771 0x80000066 0xd14f
10.227.114.0 10.10.0.2 2283 0x80000066 0xf8e6
12.156.x.2 10.10.0.2 2621 0x80000066 0x737c
172.32.0.0 10.10.0.2 72 0x80000067 0xc42f
Type-5 AS External Link States
Link ID ADV Router Age Seq# Checksum Tag
0.0.0.0 10.10.0.1 1682 0x800000a6 0xe5fc 0
10.10.0.1 10.10.0.1 1502 0x800001e4 0xe4b4 0
10.10.2.0 10.10.0.1 1502 0x800001e4 0xd8bf 0
10.255.96.0 10.10.0.1 1262 0x800001e4 0x202b 0
ciscoasa# show route
Gateway of last resort is 12.156.x.3 to network 0.0.0.0
O IA 172.32.0.0 255.255.254.0 [110/12] via 10.0.0.14, 2:57:28, inside
O E2 10.10.0.1 255.255.255.255 [110/10] via 10.0.0.14, 2:57:28, inside
O E2 10.10.2.0 255.255.255.0 [110/10] via 10.0.0.14, 2:57:28, inside
O 10.10.0.2 255.255.255.255 [110/11] via 10.0.0.14, 2:57:28, inside
C 10.0.0.12 255.255.255.252 is directly connected, inside
O 10.10.10.0 255.255.255.0 [110/11] via 10.0.0.14, 2:57:28, inside
O 10.0.0.0 255.255.255.252 [110/11] via 10.0.0.14, 2:57:28, inside
O 10.10.11.0 255.255.255.0 [110/11] via 10.0.0.14, 2:57:28, inside
O IA 10.10.25.0 255.255.255.0 [110/12] via 10.0.0.14, 2:57:28, inside
O IA 10.10.26.0 255.255.255.0 [110/12] via 10.0.0.14, 2:57:28, inside
O IA 10.80.69.0 255.255.255.0 [110/12] via 10.0.0.14, 2:57:28, inside
O E2 10.255.96.0 255.255.248.0 [110/10] via 10.0.0.14, 2:57:28, inside
O IA 10.227.114.0 255.255.255.128 [110/12] via 10.0.0.14, 2:57:28, inside
C 12.156.x.2 255.255.255.224 is directly connected, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 12.156.39.33, outside
03-24-2017 12:55 PM
So you mean there is no route for 10.39.0.0 255.255.0.0 being advertised to the internal network. Is that correct ? If so it is because there is no interface on the ASA with an IP from that range.
The network statement in OSPF does not tell it what networks to advertise, it tells it which interfaces to run OPSF on and then OSPF will advertise the subnet and subnet mask configured on the interface. You don't have this so it won't advertise that subnet.
There are a number of alternatives but can you confirm that the above is the issue.
Jon
03-24-2017 02:42 PM
Thanks Jon,
That makes sense. 10.39.0.0 is the network on the other side of the VPN tunnel through the ASA. Not a local network attached to an interface. Would it still be possible to use OSPF to point traffic intended for that network?
03-24-2017 03:03 PM
It would and there are a few alternatives.
You could use a static route either on the core switch pointing to the ASA or on the ASA and redistribute into OSPF. If you put it on the core switch then you would need to track the route but as the firewall is only used for that VPN you may not feel it is worth it. If you add it to the ASA and redistribute you would want to use a filter to make sure only that static was redistributed.
However there is also something called Reverse Route Injection (RRI) on the ASA used for this very purpose which would allow you to advertise the VPN subnet into OSPF. However I have never used it and don't know if it has certain restrictions so can't say for sure it would work but it sounds like that would be the way to go if possible.
Sorry I can't be more specific but at least you should be able to get it working using one of the above suggestions.
Any more queries just let me know.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide