I'm having an issue doing VRF route leak on a 3750. I'm only getting one way redistribution. The following configuration is a snippet of what should be required for it to work
ip vrf EDGE rd 65000:10 route-target export 65000:1 route-target import 65000:2 ! ip vrf WEB rd 65000:20 route-target export 65000:2 route-target import 65000:1 ! router eigrp datacenter ! address-family ipv4 unicast vrf EDGE autonomous-system 1 ! topology base redistribute bgp 65000 metric 1000000 1 255 1 1500 exit-address-family ! address-family ipv4 unicast vrf WEB autonomous-system 2 ! topology base redistribute bgp 65000 metric 1000000 1 255 1 1500 exit-address-family ! router bgp 65000 ! address-family ipv4 vrf WEB no synchronization network 18.104.22.168 mask 255.252.0.0 exit-address-family ! address-family ipv4 vrf EDGE redistribute eigrp 1 metric 100 exit-address-family
In the vrf EDGE I get the 22.214.171.124 route from WEB, working as intended. In the vrf WEB I am not getting any of the EIGRP routes from. Is there a platform limitation or what am I missing?
The following snippet is from GNS3, where the redistribution is working both ways. Same configuration design.
ip vrf EDGE rd 65000:10 route-target export 10:20 route-target import 20:10 ! ip vrf WEB rd 65000:20 route-target export 20:10 route-target import 10:20 ! router eigrp datacenter ! address-family ipv4 unicast vrf EDGE autonomous-system 1 ! topology base redistribute bgp 65000 metric 1000 10 255 1 1500 exit-af-topology network 192.168.0.0 0.0.0.3 exit-address-family ! address-family ipv4 unicast vrf WEB autonomous-system 2 ! topology base redistribute bgp 65000 metric 1000 10 255 1 1500 exit-af-topology network 192.168.1.0 0.0.0.3 exit-address-family ! router bgp 65000 bgp log-neighbor-changes ! address-family ipv4 vrf EDGE network 10.0.0.0 mask 255.255.255.0 exit-address-family ! address-family ipv4 vrf WEB network 10.1.0.0 mask 255.255.255.0 exit-address-family
... View more
VRF definition gives the option for multiprotocol support within the same VRF, while IP VRF is single protocol.
Other than IOS/Device limitations, would there be a reason to not use vrf definition? Practically, ip vrf is a bit less configuration and it can always be converted to MP VRF, but is ip vrf supposed to be considered legacy?
... View more
I'm having an issue on Cisco 2960 with not being able to move a device from one port to another within the MAC address timeout on a port. When using a laptop in something like a meeting room and afterwards moving to another place (within 5min), the port will not authenticate. It works fine, if I clear the port on the first connection or wait 5 minutes. I've been looking for configuration to terminate the port 802.1x session when disconnecting the cable/device, which I thought it'd do anyway, but I've come up short.
There isn't any other device connected to the port like an IP phone.
interface range authentication host-mode multi-auth authentication order dot1x mab authentication port-control auto mab dot1x pae authenticator dot1x timeout server-timeout 30 dot1x timeout tx-period 5 dot1x max-req 3 dot1x max-reauth-req 10
And then the radius server. Other than that its the most standard access configuration.
... View more
Okey, I get that and I see the logic.
I applied the rule, but it didn't change anything. I've attached a small topology for the setup. When I do: ping 192.168.100.1 source vlan 250 from the switch (.10) I get this error. This is the ASA trying to answer the ping, but it's trying to send the respond out the Server interface, instead of ElevInside.
Jan 12 2008
Routing failed to locate next hop for icmp from Server:192.168.100.1/0 to Server:10.5.250.10/0
... View more
VPN users connect on the public IP 1x.2x.1.2x. They get a DHCP address in the ElevInside network. Yes, the ASA should know all the networks and there is, as far as I understand, built in functionality to allow traffic from a more secured (ElevInside) to a less secured (Server) by default. I know the configuration on here says security-level 100 on Server, but I have tried with a lower setting.
... View more
I have a problem and a question regarding the VPN/Anyconnect for ASA 5505. I have excluded most of the configuration I figured wasn't related to this issue.
What works: VPN connection can be established and I can get an IP address from the DHCP scope. I can ping the gateways for my 2 internal networks from a switch after the ASA with the respective Vlans as source.
Problem: I can't ping around the network behind the ASA. From the client I can't ping the gateway of the VPN network and I can't ping the server network. From the switch I can't ping 126.96.36.199 and I can't ping between the 2 Vlans. The log when trying to ping:
Jan 07 2008
Failed to locate egress interface for ICMP from Outside:10.5.250.105/1 to 192.168.100.1/0
My questions: I'm not quite sure how the ASA acts in regards to the ACL. Do I need my second line in my Server and Inside ACL to allow access from the one network to another? Would it be smarter to create the server network on another DHCP device (router) and simply route it into the ASA? And of course, can anyone help getting the configuration to work?
Green is Outside. Red is Server/device area. Blue is VPN connection.
ASA Version 9.1(6)10 ! interface Ethernet0/3 switchport trunk allowed vlan 192,250 switchport mode trunk ! same-security-traffic permit inter-interface same-security-traffic permit intra-interface ! interface Vlan1 nameif Outside security-level 0 ip address 1x.2x.1.2x 255.255.255.248 ! object network Outside_IP host 1x.2x.1.2x ! object network obj_any subnet 0.0.0.0 0.0.0.0 ! interface Vlan192 nameif Server security-level 100 ip address 192.168.100.1 255.255.255.0 ! access-list Server_access_in extended permit ip 192.168.100.0 255.255.255.0 any access-list Server_access_in extended permit ip 10.5.250.0 255.255.255.0 192.168.100.0 255.255.255.0 access-list Server_access_in extended permit icmp any any access-list Server_access_in extended deny ip any any ! object network Server subnet 192.168.100.0 255.255.255.0 object network Server nat (Server,Outside) dynamic interface ! interface Vlan250 nameif ElevInside security-level 100 ip address 10.5.250.1 255.255.255.0 ! access-list ElevInside_access_in extended permit ip 10.5.250.0 255.255.255.0 any access-list ElevInside_access_in extended permit ip 192.168.100.0 255.255.255.0 10.5.250.0 255.255.255.0 access-list ElevInside_access_in extended permit icmp any any access-list ElevInside_access_in extended deny ip any any ! object network ElevInside subnet 10.5.250.0 255.255.255.0 object network ElevInside nat (ElevInside,Outside) dynamic interface ! object-group network ElevObject network-object 10.5.250.0 255.255.255.0 ! access-list ElevSplit remark Elev250 access-list ElevSplit standard permit 10.5.250.0 255.255.255.0 access-list ElevSplit remark Server192 access-list ElevSplit standard permit 192.168.100.0 255.255.255.0 ! nat (ElevInside,Server) source static ElevInside ElevInside destination static Server Server no-proxy-arp nat (Server,ElevInside) source static Server Server destination static ElevInside ElevInside no-proxy-arp ! access-group ElevInside_access_in in interface ElevInside access-group Server_access_in in interface Server ! route Outside 0.0.0.0 0.0.0.0 1x.2x.1.2x 1 ! class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp
... View more