Wednesday 27 February 2013

ASA 8.3 NAT config

 1.Differences between pre 8.3 and 8.3+ ASA NAT

 Starting with version 8.3, ASA has a new NAT implementation scheme.
Now for NAT implementation ASA 8.3+ use objects.
Also the ACLs configured use the real IP address instead of mapped one.
There are now 2 types of NAT:
 -Auto NAT - only source NAT
 -Manual NAT -source and destination NAT
NAT control is not used anymore.

syntax:

dynamic NAT
nat [(real_ifc,mapped_ifc)] dynamic {mapped_inline_host_ip | mapped_obj | interface} [dns]

static NAT
nat [(real_ifc,mapped_ifc)] static {mapped_inline_ip | mapped_obj | interface} [dns | service {tcp | udp} real_port mapped_port]

Interfaces—If you do not specify the real and mapped interfaces, all interfaces are used. You can also specify the keyword any for one or both of the interfaces. Be sure to include the parentheses in your command.      

 2. Auto NAT
Auto NAT is only used for Static or Dynamic NAT.
Auto NAT is is configured within an object.
      
2.1. Static/Dynamic NAT using mapped IP

object network obj_10.1.1.2
 host 10.1.1.2
 nat (inside,outside) static 192.168.223.150
object network obj_10.1.1.2
 host 10.1.1.2
 nat (inside,outside) dynmaic 192.168.223.150
        
2.2 Static  PAT using mapped IP
object network obj_10.1.1.2
 host 10.1.1.2
  nat (inside,outside) static 192.168.223.150 service tcp www 8080
2.3 Static/Dynamic NAT with DNS Reply Modification

object network obj_10.1.1.2
 host 10.1.1.2
 nat (inside,outside) static 192.168.223.150 dns
object network obj_10.1.1.2
 host 10.1.1.2
 nat (inside,outside) dynamic 192.168.223.150 dns

A DNS server is accessible from outside interface. The http server used in our example is accessible on inside interface. You configure the adaptive security appliance to statically translate the HTTP_inside_server real address (10.1.1.2) to a mapped address (192.168.223.150) that is visible on the outside network. In this case, you want to enable DNS reply modification on this static rule so that inside users who have access to HTTP_inside_server  using the real address receive the real address from the DNS server, and not the mapped address.
The dns keyword translates DNS replies. Be sure DNS inspection is enabled (it is enabled by default). This option is not available if you specify the service keyword.
          
2.4 Static/Dynamic PAT with interface keyword

Interface keyword can be used only for static NAT with port translation. For this option, you must configure a specific interface for the mapped interface.

object network obj_10.1.1.2
 host 10.1.1.2
 nat (inside,outside) static interface
object network obj_10.1.1.2
 host 10.1.1.2
 nat (inside,outside) dynamic interface
Static NAT for a specific service only
object network obj_10.1.1.2
 host 10.1.1.2
 nat (inside,outside) static interface service tcp www 8080

3. Manual NAT

Manual NAT is configured directly from the global configuration mode, not as part of any network object.
Manual NAT considers either only the source or the source and destination address when performing NAT.
     
3.1 Static/Dynamic NAT using range ip address
object network range_192.168.223.200-250
 range 192.168.223.200 192.168.223.250
object network inside_network
 subnet 10.1.1.0 255.255.255.0

nat (inside,outside) source static inside_network range_192.168.223.200-250
object network range_192.168.223.200-250
 range 192.168.223.200 192.168.223.250
object network inside_network
 subnet 10.1.1.0 255.255.255.0

nat (inside,outside) source dynamic inside_network range_192.168.223.200-250

3.2 Static/Dynamic PAT using interface keyword
object network inside_network
 subnet 10.1.1.0 255.255.255.0

nat (inside,outside) source static inside_network  interface
object network inside_network
 subnet 10.1.1.0 255.255.255.0

nat (inside,outside) source dynamic inside_network  interface

3.3 Dynamic NAT with dynamic PAT backup
object network range_192.168.223.200-250
 range 192.168.223.200 192.168.223.250
object network inside_network
 subnet 10.1.1.0 255.255.255.0
object network obj_192.168.223.251
 host 192.168.223.251
object-group network PAT_BKP
 network-object object range_192.168.223.200-250
 network-object object obj_192.168.223.251

nat (inside,outside) source dynamic inside_network  PAT_BKP interface

Hosts on inside network 10.1.1.0 are mapped first to the  range_192.168.223.200-250 . After all addresses in the range_192.168.223.200-250  are allocated, dynamic PAT is performed using the host  192.168.223.251 address. In the unlikely event that the PAT translations are also use up, dynamic PAT is performed using the outside interface address.

3.4 Twice NAT
Manual NAT can NAT source and destination within a single statement.
object network obj_10.1.1.2
 host 10.1.1.2
object network obj_200.200.200.130
 host 200.200.200.130
object network obj_192.168.223.150
 host 192.168.223.150
object network obj_192.168.223.129
 host 192.168.223.129

nat (inside,outside) source static obj_10.1.1.2 obj_192.168.223.150 destination static obj_200.200.200.130 obj_192.168.223.129

3.5 Policy NAT Exemption
Used to not NAT traffic over a VPN tunnel
object network inside-network
subnet 10.1.1.0 255.255.255.0
nat (inside,outside) dynamic interface
object network vpn-subnet
range 10.2.2.0 10.2.2.100

nat (inside,outside) source static inside-network inside-network destination static vpn-subnet vpn-subnet

4. NAT order of opperation

Network object NAT rules and twice NAT rules are stored in a single table that is divided into three sections. Section 1 rules are applied first, then section 2, and finally section 3
Section 1 – Manual NAT
Section 2 – Auto NAT
Section 3 – Manual Nat After-Auto


 5.NAT monitoring and troubleshooting

ASA1# show running-config nat
nat (inside,outside) source static inside_network inside_network destination static vpn-subnet vpn-subnet
object network obj_10.1.1.2
 nat (inside,outside) static 192.168.223.150 service tcp www www
nat (inside,outside) after-auto source static obj_10.1.1.2 obj_192.168.223.150 destination static obj_200.200.200.130 obj_192.168.223.129

ASA1# show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static inside_network inside_network   destination static vpn-subnet vpn-subnet
    translate_hits = 0, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static obj_10.1.1.2 192.168.223.150   service tcp www www
    translate_hits = 0, untranslate_hits = 0
Manual NAT Policies (Section 3)
1 (inside) to (outside) source static obj_10.1.1.2 obj_192.168.223.150   destination static obj_200.200.200.130 obj_192.168.223.129
    translate_hits = 0, untranslate_hits = 0

ASA1# show nat detail
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static inside_network inside_network   destination static vpn-subnet vpn-subnet
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.1.1.0/24, Translated: 10.1.1.0/24
    Destination - Origin: 10.2.2.0-10.2.2.100, Translated: 10.2.2.0-10.2.2.100
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static obj_10.1.1.2 192.168.223.150   service tcp www www
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.1.1.2/32, Translated: 192.168.223.150/32
    Service - Protocol: tcp Real: www Mapped: www
Manual NAT Policies (Section 3)
1 (inside) to (outside) source static obj_10.1.1.2 obj_192.168.223.150   destination static obj_200.200.200.130 obj_192.168.223.129
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.1.1.2/32, Translated: 192.168.223.150/32
    Destination - Origin: 200.200.200.130/32, Translated: 192.168.223.129/32

ASA1# show xlate
4 in use, 4 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from inside:10.1.1.0/24 to outside:10.1.1.0/24
    flags sI idle 0:04:33 timeout 0:00:00
TCP PAT from inside:10.1.1.2 80-80 to outside:192.168.223.150 80-80
    flags sr idle 0:05:58 timeout 0:00:00
NAT from outside:192.168.223.129 to inside:200.200.200.130
    flags sT idle 0:03:35 timeout 0:00:00
NAT from inside:10.1.1.2 to outside:192.168.223.150
    flags sT idle 0:03:35 timeout 0:00:00
Posted by at No comments:
Labels:

Friday 8 February 2013

ASA administrative access and management traffic



  • Topology




1. Administrative access

 1.1.Configure telnet access from inside subnet
interface GigabitEthernet0
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0
telnet 10.0.0.0 255.255.255.0 inside
passwd cisco

 ASA doesn't allow telnet to the  interfaces with security-level less than 100.
You cannot use Telnet to the lowest security interface unless you use Telnet inside an IPSec tunnel.

 1.2.Configure ssh access from outside subnet

 In order to enable encrypted access to the ASA appliance using either SSH or HTTPs first you need to generate on ASA a RSA key-pair
ciscoasa(config)# crypto key generate rsa modulus 1024
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
ciscoasa(config)#

Command used to identify the IP addresses from which the ASA accepts connections is:
ciscoasa(config)# ssh 172.20.100.0 255.255.255.0 outside 


1.3.Configure ASDM acess from host BT5R3
To use ASDM, you need to enable the HTTPS server, and allow HTTPS connections to the ASA.


ciscoasa(config)# http server enable 10443
*By default port is 443

Specify the location of the ASDM image:
ciscoasa(config)# asdm image disk0:/asdm/asdm-645-106.bin

1.4 Configuring AAA for System Administrators

1.4.1 Telnet authentication using AAA
aaa authentication telnet console LOCAL 

1.4.2 SSH authentication using AAA
ciscoasa(config)# aaa authentication ssh console LOCAL

1.4.3 HTTPs authentication using AAA
ciscoasa(config)# aaa authentication http console LOCAL

Instead of LOCAL server authentication you can use an RADIUS or TACACS+ aaa-server group for administrative authentication.

Configuration on ASA for TACACS+ server group:


aaa-server TACACS_TEST protocol tacacs+
aaa-server TACACS_TEST (dmz) host 192.168.223.129
 key *****
aaa authentication ssh console TACACS_TEST 


If you use a AAA server group for authentication, you can configure the ASA to use the local database as a fallback method if the AAA server is unavailable.
aaa authentication telnet console TACACS_TEST LOCAL
aaa authentication ssh console TACACS_TEST LOCAL
aaa authentication http console TACACS_TEST LOCAL

You can configure the ASA to authenticate users with a AAA server or the local database when they enter the enable command.
aaa authentication enable console TACACS_TEST LOCAL

2. Management traffic
2.1 NTP
Configure ASA for time syncornization with R1 (use MD5 key NTP_key for security)
ntp authentication-key 1 md5 NTP_key
ntp authenticate
ntp trusted-key 1
ntp server 172.20.100.3 key 1

 ciscoasa# show ntp status  
Clock is synchronized, stratum 9, reference is 172.20.100.3
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is d4bfb07e.6c18a0bb (17:12:30.422 UTC Fri Feb 8 2013)
clock offset is -14.9486 msec, root delay is 7.42 msec
root dispersion is 15905.61 msec, peer dispersion is 15890.63 msec

ciscoasa# show ntp associations
      address         ref clock     st  when  poll reach  delay  offset    disp
*~172.20.100.3     127.127.7.1       8    41    64    1     7.4  -14.95  15890.
 * master (synced), # master (unsynced), + selected, - candidate, ~ configured


2.2 System logging
Enable logging
ciscoasa(config)# logging enable

Send Syslog Messages to the Internal Log Buffer
ciscoasa(config)# logging buffered critical
ciscoasa(config)# logging buffered alerts
ciscoasa(config)# logging buffered errors

Changes the size of the internal log buffer. The default buffer size is 4 KB.
ciscoasa(config)# logging buffer-size 8192

You can send memory buffer contents when it wraps to the FTP server 192.168.1.129.
logging ftp-bufferwrap
logging ftp-server 192.168.223.129 /syslog ftp_user *****

Send Syslog Messages to syslog server 192.168.1.129
logging trap informational
logging host dmz 192.168.223.129

Specifies that syslog messages should include the date and time that they were generated.
ciscoasa(config)# logging timestamp

By default syslog messages are sent with facility 20. You can change that using next command:
ciscoasa(config)# logging facility 19

Send to console port syslog messages:
ciscoasa(config)# logging console alerts

Send to ssh/telnet session syslog messages
ciscoasa(config)# logging monitor critical
ciscoasa(config)# terminal monitor

Send to asdm interface syslog messages
ciscoasa(config)# logging asdm debugging

Including the Device ID in Syslog Messages
ciscoasa(config)# logging device-id ipaddress inside

Filter syslog messages
a. class based filtering
ciscoasa(config)# logging class config console errors

b.list filtering
ciscoasa(config)#logging list ASA_SYSLOG_LIST message 101002-103000
ciscoasa(config)#logging asdm ASA_SYSLOG_LIST

c.message-id filterging
ciscoasa(config)# no logging message 111010

Check logging status:
ciscoasa(config)# show logging
Syslog logging: enabled
    Facility: 23
    Timestamp logging: enabled
    Standby logging: disabled
    Debug-trace logging: disabled
    Console logging:  class config, 4 messages logged
    Monitor logging: level critical, 0 messages logged
    Buffer logging: level errors, 0 messages logged
    Trap logging: level informational, facility 23, 98 messages logged
        Logging to dmz 192.168.223.129
    Permit-hostdown logging: disabled
    History logging: disabled
    Device ID: 'inside' interface IP address "10.0.0.1"
    Mail logging: disabled
    ASDM logging: list ASA_SYSLOG_LIST, 109 messages logged

ciscoasa(config)# show logging message
syslog 111010: default-level notifications (disabled)


2.3 SNMP

Enable the snmp server on the ASA
ciscoasa(config)# snmp-server enable

Identify the NMS host that can connect to the ASA for SNMP management
ciscoasa(config)# snmp-server host dmz 192.168.223.129 community *****

Set SNMP location and contact
ciscoasa(config)# snmp-server location Test_city
ciscoasa(config)# snmp-server contact +108919991

Set SNMP community
ciscoasa(config)# snmp-server community *****
ciscoasa(config)# snmp-server enable traps all

Enable logging of alerts syslog messages using SNMPO
ciscoasa(config)# logging history alerts

SNMP server statistics
ciscoasa(config)# show snmp-server statistics
5 SNMP packets input
    0 Bad SNMP version errors
    0 Unknown community name
    0 Illegal operation for community name supplied
    0 Encoding errors
    2 Number of requested variables
    0 Number of altered variables
    2 Get-request PDUs
    0 Get-next PDUs
    1 Get-bulk PDUs
    0 Set-request PDUs (Not supported)
990 SNMP packets output
    0 Too big errors (Maximum packet size 512)
    0 No such name errors
    0 Bad values errors
    0 General errors
    3 Response PDUs
    985 Trap PDUs

Posted by at No comments:
Labels:

Thursday 7 February 2013

ASA Active/Standby configuration scenario

Topology






1.Configure ASA in active/standby failover 

Active/Standby failover enables you to use a standby ASA to take over the functionality of a failed unit.

ASA1
failover
failover lan unit primary
failover lan interface failover GigabitEthernet1
failover link linkstate GigabitEthernet2
failover interface ip failover 1.1.1.1 255.255.255.252 standby 1.1.1.2
failover interface ip linkstate 2.2.2.1 255.255.255.252 standby 2.2.2.2

interface GigabitEthernet0
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
interface GigabitEthernet3
 nameif outside
 security-level 0
 ip address 20.20.20.1 255.255.255.0 standby 20.20.20.2

ASA2
failover
failover lan unit secondary
failover lan interface failover GigabitEthernet1
failover link linkstate GigabitEthernet2
failover interface ip failover 1.1.1.1 255.255.255.252 standby 1.1.1.2
failover interface ip linkstate 2.2.2.1 255.255.255.252 standby 2.2.2.2

interface GigabitEthernet0
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
interface GigabitEthernet3
 nameif outside
 security-level 0
 ip address 20.20.20.1 255.255.255.0 standby 20.20.20.2

The primary unit always becomes the active unit if both units start up at the same time
The primary unit MAC addresses are always coupled with the active IP addresses. The exception to this rule occurs when the secondary unit is active and cannot obtain the primary unit MAC addresses over the failover link. In this case, the secondary unit MAC addresses are used.
Also you can configure a virtual MAC address.
failover mac address GigabitEthernet0 0011.1111.1111 0022.2222.2222
failover mac address GigabitEthernet3 0033.3333.3333 0044.4444.4444

2. Testing Failover Functionality

ciscoasa# show failover
state               State          Last Failure Reason      Date/Time
This host  -   Primary               Active         None
Other host -   Secondary               Standby Ready  None
====Configuration State
=== Sync Done
====Communication State
===Mac set

ciscoasa# show failover interface
interface failover GigabitEthernet1
System IP Address: 1.1.1.1 255.255.255.252
My IP Address    : 1.1.1.1
Other IP Address : 1.1.1.2
interface linkstate GigabitEthernet2
System IP Address: 2.2.2.1 255.255.255.252
My IP Address    : 2.2.2.1
Other IP Address : 2.2.2.2

ciscoasa# show monitor-interface
This host: Primary - Active
    Interface inside (192.168.1.1): Normal (Monitored)
    Interface outside (20.20.20.1): Normal (Monitored)
 Other host: Secondary - Standby Ready
    Interface inside (192.168.1.2): Normal (Monitored)
    Interface outside (20.20.20.2): Normal (Monitored)

3. Forcing Failover

Forces a failover when entered on the standby unit in a failover pair. The standby unit becomes the active unit.
failover active 

Forces a failover when entered on the active unit in a failover pair. The active unit becomes the standby unit.
no failover active 

4. Disabling and Enabling Interface Monitoring

You can control which interfaces affect your failover policy by disabling the monitoring of specific interfaces and enabling the monitoring of others.
no monitor-interface outside

Monitored failover interfaces can have the following status:

•Unknown—Initial status. This status can also mean the status cannot be determined.
•Normal—The interface is receiving traffic.
•Testing—Hello messages are not heard on the interface for five poll times.
•Link Down—The interface or VLAN is administratively down.
•No Link—The physical link for the interface is down.
•Failed—No traffic is received on the interface, yet traffic is heard on the peer interface.

5. Troubleshooting

5.a Active unit failed (power or hardware). Action - failover.
Standby become active and mark active as failed
ciscoasa#  Switching to Active
ciscoasa# show failover
Failover On Failover unit Secondary
Failover LAN Interface: failover GigabitEthernet1 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 1 of 60 maximum
Version: Ours 8.4(2), Mate 8.4(2)Last Failover at: 13:56:18 UTC Feb 7 2013
 This host: Secondary - Active
   Active time: 14 (sec)  
     Interface inside (192.168.1.1): Normal (Waiting)  
     Interface outside (20.20.20.1): Normal (Not-Monitored)
Other host: Primary - Failed
  Active time: 1299 (sec)  
    Interface inside (192.168.1.2): Unknown (Monitored)  
    Interface outside (20.20.20.2): Unknown (Not-Monitored)
5.b Formerly active unit recovers. Action no failover.
Primary become standby (ASA Active/Standby failover does not support preemption.)
ciscoasa#  Detected an Active mate
Beginning configuration replication from mate.
End configuration replication from mate.
ciscoasa# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet1 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 60 maximum
Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 14:07:49 UTC Feb 7 2013
 This host: Primary - Standby Ready
Active time: 0 (sec)
    Interface inside (192.168.1.2): Normal (Monitored)
    Interface outside (20.20.20.2): Normal (Monitored)
 Other host: Secondary - Active
  Active time: 902 (sec)
    Interface inside (192.168.1.1): Normal (Monitored)
    Interface outside (20.20.20.1): Normal (Monitored)

5.c Standby unit failed (power or hardware). Action no failover.
Mark standby as failedActive time: 0 (sec)
5.d Failover link failed during operation. Mark failover interface as failed. Action no failover
ciscoasa(config)# Failover LAN Failed
No switchover
ciscoasa# show failover
Failover On Failover unit Primary
Failover LAN Interface: failover GigabitEthernet1 (Failed - No Switchover)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 60 maximum
Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 14:19:23 UTC Feb 7 2013
 This host: Primary - Active
Active time: 64 (sec)  
  Interface inside (192.168.1.1): Normal (Monitored)  
  Interface outside (20.20.20.1): Normal (Monitored)
Other host: Secondary - Standby Ready
 Active time: 1312 (sec)  
  Interface inside (192.168.1.2): Normal (Monitored)  
  Interface outside (20.20.20.2): Normal (Monitored)

5.e Failover link failed at startup. Mark failover interface as failed.

If the failover link is down at startup, both units become active.

5.f Stateful Failover link failed. Action - no failover.
State information becomes out of date, and sessions are terminated if a failover occurs.
ciscoasa# Failover Stateful interface Failedciscoasa# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet1 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 60 maximum
Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 14:19:23 UTC Feb 7 2013
 This host: Primary - Active   Active time: 510 (sec)
    Interface inside (192.168.1.1): Normal (Monitored)
    Interface outside (20.20.20.1): Normal (Monitored)
 Other host: Secondary - Standby Ready
  Active time: 1312 (sec)
    Interface inside (192.168.1.2): Normal (Monitored)
    Interface outside (20.20.20.2): Normal (Monitored)
Stateful Failover Logical Update Statistics
 Link : linkstate GigabitEthernet2 (Failed)
5.g Interface failure on active unit above threshold. Action- failover
ciscoasa#  Switching to Active
ciscoasa# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: failover GigabitEthernet1 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1Monitored Interfaces 2 of 60 maximum
Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 14:42:13 UTC Feb 7 2013
This host: Secondary - Active
Active time: 1490 (sec)
    Interface inside (192.168.1.1): Normal (Monitored)
    Interface outside (20.20.20.1): Normal (Waiting)
 Other host: Primary - Failed
   Active time: 1211 (sec)
    Interface inside (192.168.1.2): Normal (Waiting)
    Interface outside (20.20.20.2): Failed (Waiting)

5.h Interface failure on standby unit above threshold. Mark standby as failed.

When the standby unit is marked as failed, then the active unit does not attempt to fail over even if the interface failure threshold is surpassed.

5.i  Failover link and Interface failure on active unit above threshold. Action no failover



Posted by at 3 comments:
Labels:

Tuesday 5 February 2013

Cisco ASA routing scenario


  • Topology


*This scenario is oriented to Cisco ASA configuration. Routers and switches config will be omitted.


1.Configure next interfaces on ASA device:
-inside    security-level  100   (EIGRP area)
-outside  security-level  0      (OSPF area)
-dmz1    security-level  75    (servers area)
-dmz2    security-level  50   (RIP area)  
interface GigabitEthernet0 nameif outside security-level 0 ip address 123.123.1.1 255.255.255.0 
interface GigabitEthernet1 nameif inside security-level 100 ip address 10.10.1.1 255.255.255.0
 interface GigabitEthernet2.75 vlan 75 nameif dmz1 security-level 75 ip address 192.168.223.1 255.255.255.0 
interface GigabitEthernet2.50 vlan 50 nameif dmz2 security-level 50 ip address 192.168.1.1 255.255.255.0 

2.Configure all the corresponding IP addresses on the R1, R2, R3,R4 and Windows respectiv Linux servers
    Loopback IP addresses:
R1 - 1.1.1.1/24
R2 - 2.2.2.2/24
R3 - 3.3.3.3/24
R4 - 4.4.4.4/24

3.Routing configuration
3.1.A OSPF configuration:
         -area 0
         -md5 authentication (password TEST)
         -ASA router-id 5.5.5.5
router ospf 1 router-id 5.5.5.5 network 123.123.123.0 255.255.255.0 area 0
interface GigabitEthernet0
 ospf message-digest-key 1 md5 TEST
 ospf authentication message-digest

*The syntax used for network statement is <subnet> <subnet_mask>, different from the syntax used for IOS command( <subnet> <wildcard_mask> )

3.1.B OSPF verification & troubleshooting:
Correct status:
ASA1# show  ospf neighbor
Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           1   FULL/DR         0:00:38     123.123.1.2     outside
3.3.3.3           1   FULL/BDR        0:00:38     123.123.1.3     outside
ASA1# show ospf interface
outside is up, line protocol is up
  Internet Address 123.123.1.1 mask 255.255.255.0, Area 0
  Process ID 1, Router ID 5.5.5.5, Network Type BROADCAST, Cost: 10
  Transmit Delay is 1 sec, State DROTHER, Priority 1
  Designated Router (ID) 2.2.2.2, Interface address 123.123.1.2
  Backup Designated router (ID) 3.3.3.3, Interface address 123.123.1.3
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 0:00:07
  Index 1/1, flood queue length 0
  Next 0x00000000(0)/0x00000000(0)
  Last flood scan length is 0, maximum is 2
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 2, Adjacent neighbor count is 2     Adjacent with neighbor 2.2.2.2  (Designated Router)
    Adjacent with neighbor 3.3.3.3  (
Backup Designated Router)  Suppress hello for 0 neighbor(s)
  Message digest authentication enabled    Youngest key id is 1
* Ensure ASA don't becomes DR or BDR on the Ethernet segment using interface configuration command ospf priority 0
interface GigabitEthernet0
 ospf priority 0
Troubleshooting
a. Authentication mismatch 
(no authentication vs. MD5 authentication)
ASA1# debug ospf adj
OSPF adjacency events debugging is on 
OSPF: Rcv pkt from 123.123.1.3, outside : Mismatch Authentication type. Input packet specified type 0, we use type 2
OSPF: Send with youngest Key 1
(plain text authentication vs. MD5 authentication)
ASA1# debug ospf adj
OSPF adjacency events debugging is on
ASA1# OSPF: Rcv pkt from 123.123.1.3, outside : Mismatch Authentication type. Input packet specified type 1, we use type 2
OSPF: Send with youngest Key 1

b. flapping ospf neighbor due network type missmatch

Check network type on both ends

ASA1# show  ospf neighbor
Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           1   FULL/DR         0:00:38     123.123.1.2     outside
3.3.3.3           1   FULL/BDR        0:00:38     123.123.1.3     outside
ASA1# show ospf interface
outside is up, line protocol is up
  Internet Address 123.123.1.1 mask 255.255.255.0, Area 0
  Process ID 1, Router ID 5.5.5.5, Network Type BROADCAST, Cost: 10
  Transmit Delay is 1 sec, State DROTHER, Priority 1
  Designated Router (ID) 2.2.2.2, Interface address 123.123.1.2
  Backup Designated router (ID) 3.3.3.3, Interface address 123.123.1.3
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 0:00:07
  Index 1/1, flood queue length 0
  Next 0x00000000(0)/0x00000000(0)
  Last flood scan length is 0, maximum is 2
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 2, Adjacent neighbor count is 2     Adjacent with neighbor 2.2.2.2  (Designated Router)
    Adjacent with neighbor 3.3.3.3  (
Backup Designated Router)  Suppress hello for 0 neighbor(s)
  Message digest authentication enabled    Youngest key id is 1
3.2.A EIGRP configuration
     -md5 authentication (password TEST)
     -no auto-summary
router eigrp 1 network 10.10.1.0 255.255.255.0no auto-summary
interface GigabitEthernet1 authentication key eigrp 1 TEST key-id 1 authentication mode eigrp 1 md5
*EIGRP supports only MD5 authentication

3.2.B EIGRP verification & troubleshooting
Correct status:
ASA1# show eigrp neighEIGRP-IPv4 neighbors for process 1H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq                                            (sec)         (ms)       Cnt Num0   10.10.1.2               Gi1              13  00:02:59 4    200   0   3

Troubleshooting
a. Authentication issue
ASA1# debug eigrp packets 
EIGRP Packets debugging is on   (UPDATE, REQUEST, QUERY, REPLY, HELLO, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
EIGRP: Sending HELLO on GigabitEthernet1  AS 65538, Flags 0x0, Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
EIGRP: GigabitEthernet1: ignored packet from 10.10.1.2, opcode = 5 (missing authentication)
EIGRP: Sending HELLO on GigabitEthernet1

b.k-value mismatch
ASA1# debug eigrp packets 
EIGRP Packets debugging is on    (UPDATE, REQUEST, QUERY, REPLY, HELLO, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
ASA1(config)# EIGRP: received packet with MD5 authentication, key id = 1
EIGRP: Received HELLO on GigabitEthernet1 nbr 10.10.1.2  AS 65538, Flags 0x0, Seq 0/0 interfaceQ 0/0    K-value mismatch

ASA does NOT support changing of K-values. Be sure that on the other end the k-values are set to default
R1#show ip protocols 
Routing Protocol is "eigrp 1" 
Outgoing update filter list for all interfaces is not set 
Incoming update filter list for all interfaces is not set 
Default networks flagged in outgoing updates 
Default networks accepted from incoming updates 
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0

3.3A RIP configuration
        -no auto-summary
        -authentication plain text (password TEST)
        -rip version 2
        -passive interface to servers
router rip network 192.168.1.0network 192.168.223.0 passive-interface dmz1 version 2 no auto-summary
interface GigabitEthernet2.50 rip authentication key ***** key_id 1

3.3.B RIP verification & troubleshooting
Correct status
ASA1# debug rip
RIP: sending v2 update to 224.0.0.9 via dmz2 (192.168.1.1)RIP: build update entries 192.168.223.0 255.255.255.0 via 0.0.0.0, metric 1, tag 0
RIP: Update contains 1 routes
RIP: Update queued
RIP: Update sent via dmz2 rip-len:52
RIP: received packet with text authentication TEST
RIP: received v2 update from 192.168.1.2 on dmz2
     4.4.4.0255.255.255.0 via 0.0.0.0 in 1 hops
RIP-DB: network_update with 4.4.4.0 255.255.255.0 succeeds
RIP-DB: adding 4.4.4.0 255.255.255.0 (metric 1) via 192.168.1.2 on GigabitEthernet2.50 to RIP database



Troubleshooting
a. Authentication issue
ASA1# debug ripRIP: ignored v2 packet from 192.168.1.2 (invalid authentication)RIP: sending v2 update to 224.0.0.9 via dmz2 (192.168.1.1)

3.4.A Default route & roting protocol redistribute:

                  -static default route
Configure a static default route trough R2 router
route outside 0 0 123.123.1.2 
                      -RIP default information originate 
Redistribute default route to RIP 
router rip default-information originate
                -Redistribute default route in EIGRP
router eigrp 1
 redistribute static
                      -Redistribute RIP and EIGRP in OSPF
router ospf 1
 redistribute eigrp 1 subnets
 redistribute rip subnets
3.4.B Verification and troubleshooting
  • Static
ASA1# show route
Gateway of last resort is 123.123.1.2 to network 0.0.0.0

D    1.1.1.0 255.255.255.0 [90/156160] via 10.10.1.2, 0:00:41, insideO    2.2.2.2 255.255.255.255 [110/11] via 123.123.1.2, 0:01:42, outsideO    3.3.3.3 255.255.255.255 [110/11] via 123.123.1.3, 0:01:42, outside
R    4.4.4.0 255.255.255.0 [120/1] via 192.168.1.2, 0:00:23, dmz2
C    10.10.1.0 255.255.255.0 is directly connected, inside
C    123.123.1.0 255.255.255.0 is directly connected, outside
C    192.168.1.0 255.255.255.0 is directly connected, dmz2
C    192.168.223.0 255.255.255.0 is directly connected, dmz1
S*   0.0.0.0 0.0.0.0 [1/0] via 123.123.1.2, outside

  • RIP
ASA1# show rip database
0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0    redistributed    [0] via 0.0.0.0, 
R4#show ip route ripR    192.168.223.0/24 [120/1] via 192.168.1.1, 00:00:22, FastEthernet0/0R*   0.0.0.0/0 [120/1] via 192.168.1.1, 00:00:22, FastEthernet0/0
  • EIGRP
ASA1# show eigrp 1 topology 
EIGRP-IPv4 Topology Table for AS(1)/ID(123.123.1.1)Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,       r - reply Status, s - sia Status 
P 0.0.0.0 0.0.0.0, 1 successors, FD is 28160        via Rstatic (28160/0)
R1#show ip route eigrp 
D*EX 0.0.0.0/0 [170/30720] via 10.10.1.1, 00:09:08, FastEthernet0/0
  • OSPF
ASA1(config-router)# show ospf database
              OSPF Router with ID (5.5.5.5) (Process ID 1)
 Type-5 AS External Link States
Link ID         ADV Router      Age         Seq#       Checksum Tag1.1.1.0         5.5.5.5         278         0x80000001 0x2d5c 04.4.4.0         5.5.5.5         483         0x80000001 0xc0bf 010.10.1.0       5.5.5.5         473         0x80000001 0x4b2c 0192.168.1.0     5.5.5.5         483         0x80000001 0x948d 0192.168.223.0   5.5.5.5         483         0x80000001 0x 142 0

R3#show ip route ospf  
  1.0.0.0/24 is subnetted, 1 subnets
O E2    1.1.1.0 [110/20] via 123.123.1.1, 00:12:25, FastEthernet0/0
     2.0.0.0/32 is subnetted, 1 subnets
O       2.2.2.2 [110/2] via 123.123.1.2, 00:13:26, FastEthernet0/0
    4.0.0.0/24 is subnetted, 1 subnets
O E2    4.4.4.0 [110/20] via 123.123.1.1, 00:13:26, FastEthernet0/0 
   10.0.0.0/24 is subnetted, 1 subnets
O E2    10.10.1.0 [110/20] via 123.123.1.1, 00:13:26, FastEthernet0/0
O E2 192.168.1.0/24 [110/20] via 123.123.1.1, 00:13:26, FastEthernet0/0
O E2 192.168.223.0/24 [110/20] via 123.123.1.1, 00:13:26, FastEthernet0/0



Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)