- Topology
*This scenario is oriented to Cisco ASA configuration. Routers and switches config will be omitted.
1.Configure next interfaces on ASA device:
-inside security-level 100 (EIGRP area)
-outside security-level 0 (OSPF area)
-dmz1 security-level 75 (servers area)
-dmz2 security-level 50 (RIP area)
interface GigabitEthernet0 nameif outside security-level 0 ip address 123.123.1.1 255.255.255.0
interface GigabitEthernet1 nameif inside security-level 100 ip address 10.10.1.1 255.255.255.0
interface GigabitEthernet2.75 vlan 75 nameif dmz1 security-level 75 ip address 192.168.223.1 255.255.255.0
interface GigabitEthernet2.50 vlan 50 nameif dmz2 security-level 50 ip address 192.168.1.1 255.255.255.0
2.Configure all the corresponding IP addresses on the R1, R2, R3,R4 and Windows respectiv Linux servers
Loopback IP addresses:
R1 - 1.1.1.1/24
R2 - 2.2.2.2/24
R3 - 3.3.3.3/24
R4 - 4.4.4.4/24
3.Routing configuration
3.1.A OSPF configuration:
3.1.A OSPF configuration:
-area 0
-md5 authentication (password TEST)
-ASA router-id 5.5.5.5
router ospf 1 router-id 5.5.5.5 network 123.123.123.0 255.255.255.0 area 0
interface GigabitEthernet0
ospf message-digest-key 1 md5 TEST
ospf authentication message-digest
3.1.B OSPF verification & troubleshooting:
Correct status:
ASA1# show ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 1 FULL/DR 0:00:38 123.123.1.2 outside
3.3.3.3 1 FULL/BDR 0:00:38 123.123.1.3 outside
ASA1# show ospf interface
outside is up, line protocol is up
Internet Address 123.123.1.1 mask 255.255.255.0, Area 0
Process ID 1, Router ID 5.5.5.5, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State DROTHER, Priority 1
Designated Router (ID) 2.2.2.2, Interface address 123.123.1.2
Backup Designated router (ID) 3.3.3.3, Interface address 123.123.1.3
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 0:00:07
Index 1/1, flood queue length 0
Next 0x00000000(0)/0x00000000(0)
Last flood scan length is 0, maximum is 2
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 2, Adjacent neighbor count is 2 Adjacent with neighbor 2.2.2.2 (Designated Router)
Adjacent with neighbor 3.3.3.3 (
Backup Designated Router) Suppress hello for 0 neighbor(s)
Message digest authentication enabled Youngest key id is 1
* Ensure ASA don't becomes DR or BDR on the Ethernet segment using interface configuration command ospf priority 0
interface GigabitEthernet0
ospf priority 0
Troubleshooting
a. Authentication mismatch
(no authentication vs. MD5 authentication)
ASA1# debug ospf adj
OSPF adjacency events debugging is on
OSPF: Rcv pkt from 123.123.1.3, outside : Mismatch Authentication type. Input packet specified type 0, we use type 2
OSPF: Send with youngest Key 1
(plain text authentication vs. MD5 authentication)
ASA1# debug ospf adj
OSPF adjacency events debugging is on
ASA1# OSPF: Rcv pkt from 123.123.1.3, outside : Mismatch Authentication type. Input packet specified type 1, we use type 2
OSPF: Send with youngest Key 1
b. flapping ospf neighbor due network type missmatch
Check network type on both ends
ASA1# show ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 1 FULL/DR 0:00:38 123.123.1.2 outside
3.3.3.3 1 FULL/BDR 0:00:38 123.123.1.3 outsideASA1# show ospf interface
outside is up, line protocol is up
Internet Address 123.123.1.1 mask 255.255.255.0, Area 0
Process ID 1, Router ID 5.5.5.5, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State DROTHER, Priority 1
Designated Router (ID) 2.2.2.2, Interface address 123.123.1.2
Backup Designated router (ID) 3.3.3.3, Interface address 123.123.1.3
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 0:00:07
Index 1/1, flood queue length 0
Next 0x00000000(0)/0x00000000(0)
Last flood scan length is 0, maximum is 2
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 2, Adjacent neighbor count is 2 Adjacent with neighbor 2.2.2.2 (Designated Router)
Adjacent with neighbor 3.3.3.3 (
Backup Designated Router) Suppress hello for 0 neighbor(s)
Message digest authentication enabled Youngest key id is 1
3.2.A EIGRP configuration
-md5 authentication (password TEST)
-no auto-summary
router eigrp 1 network 10.10.1.0 255.255.255.0no auto-summary
interface GigabitEthernet1 authentication key eigrp 1 TEST key-id 1 authentication mode eigrp 1 md5
*EIGRP supports only MD5 authentication
3.2.B EIGRP verification & troubleshooting
Correct status:
ASA1# show eigrp neighEIGRP-IPv4 neighbors for process 1H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num0 10.10.1.2 Gi1 13 00:02:59 4 200 0 3
Troubleshooting
a. Authentication issue
ASA1# debug eigrp packets
EIGRP Packets debugging is on (UPDATE, REQUEST, QUERY, REPLY, HELLO, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
EIGRP: Sending HELLO on GigabitEthernet1 AS 65538, Flags 0x0, Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
EIGRP: GigabitEthernet1: ignored packet from 10.10.1.2, opcode = 5 (missing authentication)
EIGRP: Sending HELLO on GigabitEthernet1
b.k-value mismatch
ASA1# debug eigrp packets
EIGRP Packets debugging is on (UPDATE, REQUEST, QUERY, REPLY, HELLO, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
ASA1(config)# EIGRP: received packet with MD5 authentication, key id = 1
EIGRP: Received HELLO on GigabitEthernet1 nbr 10.10.1.2 AS 65538, Flags 0x0, Seq 0/0 interfaceQ 0/0 K-value mismatch
ASA does NOT support changing of K-values. Be sure that on the other end the k-values are set to default
R1#show ip protocols
Routing Protocol is "eigrp 1"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
3.3A RIP configuration
-no auto-summary
-authentication plain text (password TEST)
-rip version 2
-passive interface to servers
router rip network 192.168.1.0network 192.168.223.0 passive-interface dmz1 version 2 no auto-summary
interface GigabitEthernet2.50 rip authentication key ***** key_id 1
3.3.B RIP verification & troubleshooting
Correct status
ASA1# debug rip
RIP: sending v2 update to 224.0.0.9 via dmz2 (192.168.1.1)RIP: build update entries 192.168.223.0 255.255.255.0 via 0.0.0.0, metric 1, tag 0
RIP: Update contains 1 routes
RIP: Update queued
RIP: Update sent via dmz2 rip-len:52
RIP: received packet with text authentication TEST
RIP: received v2 update from 192.168.1.2 on dmz2
4.4.4.0255.255.255.0 via 0.0.0.0 in 1 hops
RIP-DB: network_update with 4.4.4.0 255.255.255.0 succeeds
RIP-DB: adding 4.4.4.0 255.255.255.0 (metric 1) via 192.168.1.2 on GigabitEthernet2.50 to RIP database
Troubleshooting
a. Authentication issue
ASA1# debug ripRIP: ignored v2 packet from 192.168.1.2 (invalid authentication)RIP: sending v2 update to 224.0.0.9 via dmz2 (192.168.1.1)
3.4.A Default route & roting protocol redistribute:
-static default route
Configure a static default route trough R2 router
route outside 0 0 123.123.1.2
-RIP default information originate
Redistribute default route to RIP
router rip default-information originate
-Redistribute default route in EIGRP
router eigrp 1
redistribute static
-Redistribute RIP and EIGRP in OSPF
router ospf 1
redistribute eigrp 1 subnets
redistribute rip subnets
3.4.B Verification and troubleshooting
- Static
ASA1# show route
Gateway of last resort is 123.123.1.2 to network 0.0.0.0
D 1.1.1.0 255.255.255.0 [90/156160] via 10.10.1.2, 0:00:41, insideO 2.2.2.2 255.255.255.255 [110/11] via 123.123.1.2, 0:01:42, outsideO 3.3.3.3 255.255.255.255 [110/11] via 123.123.1.3, 0:01:42, outside
R 4.4.4.0 255.255.255.0 [120/1] via 192.168.1.2, 0:00:23, dmz2
C 10.10.1.0 255.255.255.0 is directly connected, inside
C 123.123.1.0 255.255.255.0 is directly connected, outside
C 192.168.1.0 255.255.255.0 is directly connected, dmz2
C 192.168.223.0 255.255.255.0 is directly connected, dmz1
S* 0.0.0.0 0.0.0.0 [1/0] via 123.123.1.2, outside
- RIP
ASA1# show rip database
0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 redistributed [0] via 0.0.0.0,
R4#show ip route ripR 192.168.223.0/24 [120/1] via 192.168.1.1, 00:00:22, FastEthernet0/0R* 0.0.0.0/0 [120/1] via 192.168.1.1, 00:00:22, FastEthernet0/0
- EIGRP
ASA1# show eigrp 1 topology
EIGRP-IPv4 Topology Table for AS(1)/ID(123.123.1.1)Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - reply Status, s - sia Status
P 0.0.0.0 0.0.0.0, 1 successors, FD is 28160 via Rstatic (28160/0)
R1#show ip route eigrp
D*EX 0.0.0.0/0 [170/30720] via 10.10.1.1, 00:09:08, FastEthernet0/0
- OSPF
ASA1(config-router)# show ospf database
OSPF Router with ID (5.5.5.5) (Process ID 1)
Type-5 AS External Link States
Link ID ADV Router Age Seq# Checksum Tag1.1.1.0 5.5.5.5 278 0x80000001 0x2d5c 04.4.4.0 5.5.5.5 483 0x80000001 0xc0bf 010.10.1.0 5.5.5.5 473 0x80000001 0x4b2c 0192.168.1.0 5.5.5.5 483 0x80000001 0x948d 0192.168.223.0 5.5.5.5 483 0x80000001 0x 142 0
R3#show ip route ospf
1.0.0.0/24 is subnetted, 1 subnets
O E2 1.1.1.0 [110/20] via 123.123.1.1, 00:12:25, FastEthernet0/0
2.0.0.0/32 is subnetted, 1 subnets
O 2.2.2.2 [110/2] via 123.123.1.2, 00:13:26, FastEthernet0/0
4.0.0.0/24 is subnetted, 1 subnets
O E2 4.4.4.0 [110/20] via 123.123.1.1, 00:13:26, FastEthernet0/0
10.0.0.0/24 is subnetted, 1 subnets
O E2 10.10.1.0 [110/20] via 123.123.1.1, 00:13:26, FastEthernet0/0
O E2 192.168.1.0/24 [110/20] via 123.123.1.1, 00:13:26, FastEthernet0/0
O E2 192.168.223.0/24 [110/20] via 123.123.1.1, 00:13:26, FastEthernet0/0
No comments:
Post a Comment