cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
1220
Views
0
Helpful
3
Replies
johnsmunoz
Beginner

ASA not advertising OSPF routes to neighbor

I have an ASA that is solely being used to attach to AZURE's VPN

If i attach to the inside network and use 10.0.0.13 as the gateway i can get onto the vpn network.  I'm trying to add this to our core network but the OSPF routes are not being showing up in the ospf database.  Not sure what I'm missing to get the ASA's routes to be advertised.  

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 12.156.x.1 255.255.255.224
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.0.0.13 255.255.255.252
ospf cost 10

object-group network AZURE-NET
description Azure Virtual Network
network-object 10.39.0.0 255.255.0.0
object-group network ONPREM-NET
description OnPrem Network
network-object 10.0.0.12 255.255.255.252
access-list AZURE-VPN-ACL extended permit ip object-group ONPREM-NET object-group AZURE-NET

nat (inside,outside) source static ONPREM-NET ONPREM-NET destination static AZURE-NET AZURE-NET

router ospf 1000
router-id 10.0.0.13
network 10.0.0.12 255.255.255.252 area 0
network 10.39.0.0 255.255.0.0 area 0
area 0 range 10.0.0.12 255.255.255.252
area 0 range 10.39.0.0 255.255.0.0
log-adj-changes

From the ASA:

show ospf neighbor 

Neighbor ID     Pri   State           Dead Time   Address         Interface

10.10.0.1         1   FULL/DR         0:00:32     10.0.0.14       inside

From the neighbor router:

6301-CORESWX-1# show ip ospf neighbor 

 OSPF Neighbor Information

  Router ID       Pri IP Address      NbIfState State    QLen  Events Status

  --------------- --- --------------- --------- -------- ----- ------ ------

  10.10.0.2       128 10.0.0.1        DR        FULL     0     7      None  

  10.0.0.13       1   10.0.0.13       BDR       FULL     0     6      None  

 

ciscoasa# show ospf database

       OSPF Router with ID (10.0.0.13) (Process ID 1000)

Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count

10.0.0.13       10.0.0.13       325         0x80000042 0x5635 1

10.10.0.1       10.10.0.1       1020        0x80000205 0x8dbc 4

10.10.0.2       10.10.0.2       371         0x8000013a 0xa3eb 2

Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum

10.0.0.1        10.10.0.2       333         0x80000064 0x236a

10.0.0.14       10.10.0.1       541         0x80000046 0x 995

Summary Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum

10.10.25.0      10.10.0.2       783         0x80000067 0x 191

10.10.26.0      10.10.0.2       2921        0x80000066 0xf79a

10.80.69.0      10.10.0.2       2771        0x80000066 0xd14f

10.227.114.0    10.10.0.2       2283        0x80000066 0xf8e6

12.156.x.2    10.10.0.2       2621        0x80000066 0x737c

172.32.0.0      10.10.0.2       72          0x80000067 0xc42f

Type-5 AS External Link States

Link ID         ADV Router      Age         Seq#       Checksum Tag

0.0.0.0         10.10.0.1       1682        0x800000a6 0xe5fc 0

10.10.0.1       10.10.0.1       1502        0x800001e4 0xe4b4 0

10.10.2.0       10.10.0.1       1502        0x800001e4 0xd8bf 0

10.255.96.0     10.10.0.1       1262        0x800001e4 0x202b 0

 

ciscoasa# show route

Gateway of last resort is 12.156.x.3 to network 0.0.0.0

O IA 172.32.0.0 255.255.254.0 [110/12] via 10.0.0.14, 2:57:28, inside

O E2 10.10.0.1 255.255.255.255 [110/10] via 10.0.0.14, 2:57:28, inside

O E2 10.10.2.0 255.255.255.0 [110/10] via 10.0.0.14, 2:57:28, inside

O    10.10.0.2 255.255.255.255 [110/11] via 10.0.0.14, 2:57:28, inside

C    10.0.0.12 255.255.255.252 is directly connected, inside

O    10.10.10.0 255.255.255.0 [110/11] via 10.0.0.14, 2:57:28, inside

O    10.0.0.0 255.255.255.252 [110/11] via 10.0.0.14, 2:57:28, inside

O    10.10.11.0 255.255.255.0 [110/11] via 10.0.0.14, 2:57:28, inside

O IA 10.10.25.0 255.255.255.0 [110/12] via 10.0.0.14, 2:57:28, inside

O IA 10.10.26.0 255.255.255.0 [110/12] via 10.0.0.14, 2:57:28, inside

O IA 10.80.69.0 255.255.255.0 [110/12] via 10.0.0.14, 2:57:28, inside

O E2 10.255.96.0 255.255.248.0 [110/10] via 10.0.0.14, 2:57:28, inside

O IA 10.227.114.0 255.255.255.128 [110/12] via 10.0.0.14, 2:57:28, inside

C    12.156.x.2 255.255.255.224 is directly connected, outside

S*   0.0.0.0 0.0.0.0 [1/0] via 12.156.39.33, outside

3 REPLIES 3
Jon Marshall
Hall of Fame Guru

So you mean there is no route for 10.39.0.0 255.255.0.0 being advertised to the internal network. Is that correct ? If so it is because there is no interface on the ASA with an IP from that range.

The network statement in OSPF does not tell it what networks to advertise, it tells it which interfaces to run OPSF on and then OSPF will advertise the subnet and subnet mask configured on the interface. You don't have this so it won't advertise that subnet.

There are a number of alternatives but can you confirm that the above is the issue.

Jon

Thanks Jon, 

That makes sense. 10.39.0.0 is the network on the other side of the VPN tunnel through the ASA.  Not a local network attached to an interface.  Would it still be possible to use OSPF to point traffic intended for that network?

It would and there are a few alternatives.

You could use a static route either on the core switch pointing to the ASA or on the ASA and redistribute into OSPF. If you put it on the core switch then you would need to track the route but as the firewall is only used for that VPN you may not feel it is worth it. If you add it to the ASA and redistribute you would want to use a filter to make sure only that static was redistributed.

However there is also something called Reverse Route Injection (RRI) on the ASA used for this very purpose which would allow you to advertise the VPN subnet into OSPF. However I have never used it and don't know if it has certain restrictions so can't say for sure it would work but it sounds like that would be the way to go if possible.

Sorry I can't be more specific but at least you should be able to get it working using one of the above suggestions.

Any more queries just let me know.

Jon