Solved: Port-channel L3 between Cat9300 L3 and Cisco Firewall ASA 5506

Hannibal · ‎12-12-2021

Hi Community, the best of the internet !!

I would like to check with the community if you have had the experience of configuring a Port-channel level 3 between a Catalyst 9300 Switch and an ASA 5506 Firewall, and at the same time sharing OSPF routing information through that Port-channel.

Is it possible to establish a point-to-point OSPF link between the catalyst 9300 switch and the ASA Firewall through a port-channel? I don't see the command "ip ospf network point-to-point" in the configuration menu within the port-channel of the ASA firewall.

I have enabled OSPF on both devices because I want to advertise, through the port-channel, two subnets that are behind the ASA firewall (directly connected), and at the same time to pass traffic from a third network that is not directly connected to the ASA, which means that the ASA will serve as the transit of this third network in such a way that this network can communicate with the networks connected to the Catayst 9300.

The Port-channel config as follow:

(Catalyst 9300)

interface Port-channel1
description LINK TO ASA_Transit
no switchport
dampening
ip address 192.168.1.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
ip ospf network point-to-point
ip ospf hello-interval 5
ip ospf 10 area 10
logging event link-status
carrier-delay msec 0

(ASA5506):

interface Port-channel1

nameif inside

security-level 0

ip address 192.168.1.2 255.255.255.255

As you can see, there are very few port-channel commands to configure on the ASA firewall.

I would be very grateful if someone shares their experience or knows how to detect the problem that exists in the configuration, or simply that I have not had any command configured, etc.

I have many doubts with this configuration and especially with the command "ip ospf network point-to-point" on the Catalyst side.

Thank you in advance and hoping that this community has gone through this experience ...

Regards

Hann

Hannibal · ‎12-16-2021

Hi Deepak

Thank you, yesterday we installed and the port-channel start working fine. I will vote and accept your solution.

Now we have to fight to try to make that the users behind one of the firewall interfaces can obtain their configuration from a remote DHCP, located three router hops from other of the firewall interfaces. So far we're losing the battle ..

Thank you again ...

Hann

View solution in original post

Hannibal · ‎12-16-2021

Thank georg

You´re right

Regards

Hann

View solution in original post

Deepak Kumar · ‎12-12-2021

Hi,

What is a version of Cisco ASA? As I know Cisco ASA commands are a little different from Cisco Switch or router as "ospf network point-to-point " might work for you.

Here is a document for you

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/general/asa-98-general-config/route-ospf.html

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Hannibal · ‎12-12-2021

Hi Deepak

Thank you for your answer.

The ASA Version is 9.8(2)20

Thank you in advance

Deepak Kumar · ‎12-12-2021

Try with the above command and it might work for you.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Hannibal · ‎12-16-2021

Hi Deepak

Thank you, yesterday we installed and the port-channel start working fine. I will vote and accept your solution.

Now we have to fight to try to make that the users behind one of the firewall interfaces can obtain their configuration from a remote DHCP, located three router hops from other of the firewall interfaces. So far we're losing the battle ..

Thank you again ...

Hann

Georg Pauwen · ‎12-12-2021

Hello,

as far as I recall, port channel subinterfaces offer more options:

interface Port-channel1.10

nameif inside

security-level 0

ip address 192.168.1.2 255.255.255.255

--> ip ospf neytwork

Hannibal · ‎12-16-2021

Thank georg

You´re right

Regards

Hann