8 Replies Latest reply: Mar 6, 2012 3:15 AM by Paul Stewart - CCIE Security RSS

    ospf routing in ASA

    eternalrain

      Hi all,

       

      i have enable ospf routing in ASA. i can ping from laptop 10.10.10.2 to 192.168.2.2 but fail ping 192.168.2.3 i got debug icmp in layer 3 switch 3550 when i ping 192.168.2.2 from source 10.10.10.2 it got packet to see but when i ping 192.168.2.3 from source 10.10.10.2 no packet can see in debug icmp mode.

       

      on the other way  laptop 192.168.2.3 can ping 192.168.250.1 but cannot ping 10.10.10.2. the routing table in router and switch already write in the pdf

       

      i already permit ip any any in inside and outside and also configure inspect icmp . can anyone know what is the problem?

        • 1. Re: ospf routing in ASA
          eternalrain

          Hi all,

           

          attach configuration with more detail. thanks

           

          ter len         cofn    nf t

          ciscoasa(config)# pager line 0

          ciscoasa(config)# s

          ciscoasa# sh run

          : Saved

          :

          ASA Version 8.0(4)

          !

          hostname ciscoasa

          enable password 8Ry2YjIyt7RRXU24 encrypted

          passwd 2KFQnbNIdI.2KYOU encrypted

          names

          !

          interface Ethernet0/0

          nameif outside

          security-level 0

          ip address 192.168.2.1 255.255.255.0

          !

          interface Ethernet0/1

          nameif inside

          security-level 100

          ip address 192.168.250.144 255.255.255.0

          !

          interface Ethernet0/2

          shutdown

          no nameif

          no security-level

          no ip address

          !

          interface Ethernet0/3

          shutdown

          no nameif

          no security-level

          no ip address

          !

          interface Management0/0

          shutdown

          no nameif

          no security-level

          no ip address

          !

          ftp mode passive

          access-list in_to_out extended permit ip any any

          access-list in_to_out extended permit ospf any any

          access-list out_to_in extended permit ip any any

          access-list out_to_in extended permit ospf any any

          no pager

          mtu outside 1500

          mtu inside 1500

          icmp unreachable rate-limit 1 burst-size 1

          no asdm history enable

          arp timeout 14400

          access-group out_to_in in interface outside

          access-group in_to_out in interface inside

          !

          router ospf 1

          network 192.168.2.0 255.255.255.0 area 0

          network 192.168.250.0 255.255.255.0 area 0

          log-adj-changes

          !

          timeout xlate 3:00:00

          timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

          timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

          timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

          timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

          dynamic-access-policy-record DfltAccessPolicy

          no snmp-server location

          no snmp-server contact

          snmp-server enable traps snmp authentication linkup linkdown coldstart

          crypto ipsec security-association lifetime seconds 28800

          crypto ipsec security-association lifetime kilobytes 4608000

          telnet timeout 5

          ssh timeout 5

          console timeout 0

          threat-detection basic-threat

          threat-detection statistics access-list

          no threat-detection statistics tcp-intercept

          !

          class-map inspection_default

          match default-inspection-traffic

          !

          !

          policy-map type inspect dns preset_dns_map

          parameters

            message-length maximum 512

            message-length maximum client auto

          policy-map global_policy

          class inspection_default

            inspect dns preset_dns_map

            inspect ftp

            inspect h323 h225

            inspect h323 ras

            inspect rsh

            inspect rtsp

            inspect esmtp

            inspect sqlnet

            inspect skinny 

            inspect sunrpc

            inspect xdmcp

            inspect sip 

            inspect netbios

            inspect tftp

            inspect icmp

            inspect pptp

            inspect ipsec-pass-thru

          !

          prompt hostname context

          Cryptochecksum:d43aa829429ea9c727a7819db0cadc99

          : end

           

          ciscoasa# sh routsh route

           

          Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

                 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

                 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

                 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

                 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

                 * - candidate default, U - per-user static route, o - ODR

                 P - periodic downloaded static route

           

          Gateway of last resort is not set

           

          C    127.0.0.0 255.255.0.0 is directly connected, cplane

          C    192.168.250.0 255.255.255.0 is directly connected, inside

          O    10.10.20.0 255.255.255.0 [110/11] via 192.168.250.1, 0:02:05, inside

          C    192.168.2.0 255.255.255.0 is directly connected, outside

          ciscoasa# ping 10.10.20.1

          Type escape sequence to abort.

          Sending 5, 100-byte ICMP Echos to 10.10.20.1, timeout is 2 seconds:

          !!!!!

          Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

          ciscoasa# ping 10.10.20.1 2

          Type escape sequence to abort.

          Sending 5, 100-byte ICMP Echos to 10.10.20.2, timeout is 2 seconds:

          !!!!!

          Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

          ciscoasa# csh ip    int ip biref    rief

          Interface                  IP-Address      OK? Method Status                Protocol

          Ethernet0/0                192.168.2.1     YES CONFIG up                    up 

          Ethernet0/1                192.168.250.144 YES manual up                    up 

          Ethernet0/2                unassigned      YES unset  administratively down down

          Ethernet0/3                unassigned      YES unset  administratively down down

          Internal-Control0/0        127.0.1.1       YES unset  up                    up 

          Internal-Data0/0           unassigned      YES unset  up                    up 

          Management0/0              unassigned      YES unset  administratively down down

          Virtual254                 unassigned      YES unset  up                    up 

          ciscoasa#

           

          Regards,

          eternal

          • 2. Re: ospf routing in ASA
            Paul Stewart  -  CCIE Security

            Check the route table on the PC at 192.168.2.3. One other note, the fact that you don't see packets in the debug of the switch at 192.168.2.2 may not tell us anything. I would have expected to see that only when the switch itself is being pinged.

            • 3. Re: ospf routing in ASA
              eternalrain

              just now try both side use window xp able to ping each other but use windows xp ping window 7 failed. something problem in window 7. i already turn off firewall in window 7. didn't try both window7 ping each other yet. do anyone have idea why window xp failed ping to window 7?

              • 4. Re: ospf routing in ASA
                Irfan Sri

                active ICMP in Win 7. -- Control Panel> Windows Firewall > Advanced settings >Inbound Rules and enable File and Printer Sharing (Echo Request - ICMPv4-In)in the Domain profile

                • 5. Re: ospf routing in ASA
                  eugen

                  Check your network profile in win 7 that is not set to Public, and also if ip is dhcp just release and renew after you disable firewall.

                   

                  Hope this helps

                  Eugen

                  • 6. Re: ospf routing in ASA
                    Paul Stewart  -  CCIE Security

                    It seems like every time I think I have a W7 firewall disabled, it is still enabled. You could also throw Wireshark on the W7 box to see if it is receiving the pings.  Then see if it is responding.  HTH.

                    • 7. Re: ospf routing in ASA
                      eternalrain

                      finally i have found the root cause. when i stop vpn client in window 7, window 7 start reply the icmp ping but the window xp didn't stop vpn client yet. lesson learned today. next time have to stop vpn client in window 7 although firewall have disable. the vpn client i use is check point . not sure cisco vpn client will cause it failed icmp ping or not. thanks for everyone kindly advice

                      • 8. Re: ospf routing in ASA
                        Paul Stewart  -  CCIE Security

                        I think the Cisco RA VPN client may cause that if the checkbox is ticked next to "firewall".  I'd have to test it to be sure. From recollection, it remained in effect even when you exit the application.