Question for OSPF NSSA

tinhnho123 · ‎08-13-2015

Hi Guys,

I currently have a setup: Internet-- Router--Firewall #1--Firewall #2 --- Layer 3 Core (please see attachment). Below are configuration of the 'Router'.

Router:

interface GigabitEthernet0/0
description to ISP
ip address 192.168.1.2 255.255.255.0
ip nat outside
load-interval 30
negotiation auto
end

interface GigabitEthernet0/1
description to Firewall #1
ip address 172.20.1.1 255.255.255.0
negotiation auto
end

router ospf 1
area 25 nssa default-information-originate metric-type 1
redistribute static metric-type 1 subnets
network 172.20.1.0 0.0.0.255 area 25
distribute-list 50 in
!

ip nat inside source list 40 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 192.168.1.1

access-list 40 permit 172.22.10.0 0.0.0.255
access-list 50 deny any

I have few questions for these commands :

area 25 nssa default-information-originate metric-type 1
redistribute static metric-type 1 subnets
ip nat inside source list 40 interface GigabitEthernet0/0 overload

What exactly are they doing in this configuration above? and why do I need them?

Thanks.

m.kafka · ‎08-13-2015

I am missing a statement "ip nat inside" on one of the interfaces (possibly on Gi0/1)

About your questions:

     area 25 nssa default-information-originate metric-type 1
     redistribute static metric-type 1 subnets

I can assume from the configuration that the firewall is ABR and the only purpose of the router is to inject a default route into OSPF. For this purpose the area 25 nssa default-information-originate will generate an external type 1 lsa for 0.0.0.0/0 if the router has an active default route in the routing table. (The redistribute static shouldn't be necessary).

     ip nat inside source list 40 interface GigabitEthernet0/0 overload

If there was an ip nat inside command somewhere this command will Port-Address-Translate all communication from the internal network 172.22.10.0/24 to the address of the Gi0/0 interface. I can only assume, that this network is reachable through the firewall but there is a static route missing for this network. Even if this network was announced via ospf the distribute-list 50 in statement would prevent this network from entering the routing table.

I believe this configuration needs a thorough check and maybe one repair or another...

Best regards, MiKa

paul driver · ‎08-13-2015

Hello

Maybe previously this router only required a default route to gain access to the all routes within the ospf domain its atached to, And as such It didnt need a large routing table to query to gain outside access - Then a opsf stub area would be a good choice to use.

Now lets say due to necessity this router is now attaching to an external network it needs to advertise this external network back into the ospf domain, but the stub area its in will not allow this to happen

However - to keep the same characteristic of a stub area but to be able to advertise external networks, the router has become a NSSA (not so stubby area) and a opsf ASBR (Autonomous system boundary router) - a router that links an ospf network to an external network other than ospf)

So as you can see its in nssa 25 and it redistributing its static routes to the exteranl network into ospf and performing Network address translation .

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul