Skip navigation
Cisco Learning Home > CCIE Security Study Group > Discussions
This Question is Not Answered 1 Correct Answer available (4 pts) 2 Helpful Answers available (2 pts)
5942 Views 6 Replies Latest reply: Oct 31, 2009 1:31 PM by Paul Stewart - CCIE Security, CCSI RSS

Currently Being Moderated

Question about two processes in OSPF (ASA)

Oct 31, 2009 5:01 AM

jhill 73 posts since
Oct 17, 2009

I keep reading within the ASA documentation and ciscopress books that it is possible to use two ospf processes on the Security Appliance that use the same IP address (NAT allows these interfaces to coexist, but OSPF does not allow overlapping addresses).

 

 

I'm looking for configuration examples for this type of scenario on the Cisco website, but I don't see any.  I do see examples for 2 separate interfaces with different IP addresses.

  • Scott Morris - CCDE/4xCCIE/2xJNCIE 8,396 posts since
    Oct 7, 2008
    Currently Being Moderated
    1. Oct 31, 2009 7:58 AM (in response to jhill)
    Re: Question about two processes in OSPF (ASA)

    The idea would be to keep things separated.  My best example for wanting to do this is when using contexts.  Things aren't going to be overlapping or touching each other anyway.  Virtual firewalling.


    Paul wil probably have a better answer than I. 

     

    HTH,

     

    Scott

  • Paul Stewart  -  CCIE Security, CCSI 6,952 posts since
    Jul 18, 2008

    So I have some experience messing with this, but not with overlapping interface subnets.  I agree with Scott on the use of contexts, but then we don't have any routing protocols to use so it is my opinion that we must pay attention to wording, restrictions and the rest of the Security Lab we get. I have used multiple OSPF processes to have multiple OSPF databases.  The order is very important in which they load.  So if I recall correctly the last one loaded wins as far as the route table is concerned, but I may be wrong on that one.  I certainly ran into an issue in which everything worked properly then didn't after a reboot.  I found that the order of entry determined the order in startup-config and that was reversed in my case.

     

    Now the only way I see this being used is to pass the OSPF database(s) to adjacent devices.  That will work for both processes.  However, only one route will work in the ASA.  So there may be a need to depend on other routing processes like EIGRP, a default (or if permitted a static) for next hop information etc.  While this seems to be impossible since the address spaces in OSPF may be overlapping, it is possible because, the OSPF is NOT in sync with your NAT table.  However, to make NAT happen, you must steer the traffic toward the interface.  So creative inside and outside nat translations along with next hop addresses (for interface determination) from another method can make this work.  So real world, I hope you aren't doing this, but on the lab I guess it is a possibility.  I don't know of a good example anywhere.  I happened to have experience on this scenario from a practice lab I done.  I know this is not exactly what you wanted to hear, but that is the extent of my experience on this.

     

     

     

     

     

    I don't think we can overlap interface addresses (see below).  Please correct me if I am wrong.

     

    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address 192.168.0.1 255.255.255.0
    !
    interface Ethernet0/0
    !
    interface Ethernet0/1
    switchport access vlan 2
    !
    interface Ethernet0/2
    ciscoasa# conf t
    ciscoasa(config)# int Vlan1
    ciscoasa(config-if)# ip address
    ciscoasa(config-if)# ip address 192.168.0.2
    ERROR: Failed to apply IP address to interface Vlan1, as the network overlaps with interface Vlan2. Two interfaces cannot be in the same subnet.

  • CG7 8 posts since
    Dec 23, 2008
    Currently Being Moderated
    3. Oct 31, 2009 9:59 AM (in response to jhill)
    Re: Question about two processes in OSPF (ASA)

    Jhill,

     

    I want to understand in more detail of what realy you read about it. So you red is possible with ASA to use two ospf process, right? and example will be:

     

    router ospf 1

    network 192.168.0.0 255.255.255.0 area 0

     

    router ospf 2

    network 192.168.1.0 255.255.255.0 area 1

     

    This will allow two different OSPF process to be run on the ASA, process 1 and process 2 each of them will advertise diferent networks that also below to different OSPF areas, right? this will sove the first piece of your question "keep reading within the ASA documentation and ciscopress books that it is possible to use two ospf processes on the Security Appliance that use the same IP address"

     

    The second part is '"that use the same IP address", will this be refering to the fact that you could advertise the same network in to different OSPF processes? like,

     

    router ospf 1

    network 192.168.0.0 255.255.255.0 area 0

    network 192.168.1.0 255.255.255.0 area 1

     

    router ospf 2

    network 192.168.1.0 255.255.255.0 area 1

     

    Perphas the area 0 is advertisig your inside network and also de fact that knows your DMZ area 1 using process 1 but process 2 only advertise the DMZ network to other routers in the same OSPF process.

     

    Do that make sense to you? because I aggre that you could use context but you will loose dynamic routing.

     

    CG7

  • Paul Stewart  -  CCIE Security, CCSI 6,952 posts since
    Jul 18, 2008
    Currently Being Moderated
    4. Oct 31, 2009 10:33 AM (in response to CG7)
    Re: Question about two processes in OSPF (ASA)

    I have not tried hooking to OSPF databases to the same interface.  Not sure what the results of that might be, if that is what the original poster was asking.  Something about that seems scary.  I would say, you could just become an ASBR and redistribute between the two OSPF processes and filter as desired with a route-map.  

  • Paul Stewart  -  CCIE Security, CCSI 6,952 posts since
    Jul 18, 2008
    Currently Being Moderated
    6. Oct 31, 2009 1:31 PM (in response to jhill)
    Re: Question about two processes in OSPF (ASA)

    I would just make sure that if I had overlapping address spaces in the route table going out different interfaces, realize that the load order determines what gets into the route table.  Also realize that the what really makes it to the route table cannot overlap.  If something is not working, try removing the earlier route process (or route) and re add it.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)