Internet redundancy suggestion

Unanswered Question
Mar 24th, 2008

Hi All,

Scenario:

SiteA :

1. 4500 with OSPF enabled and static

0.0.0.0 0.0.0.0 10.20.20.5 (ASA inside

IP)

2. ASA also OSPF enabled with network

stmt network 10.20.20.5

255.255.255.255 area x (same area as

4500)and static route 0.0.0.0 0.0.0.0

1.1.1.1 --> cable modem static IP

3. 4500 <--p2p 1gig link --> HQ site via

OSPF. HQ has another big internet pipe.

Is there anyway I can configure 4500 & ASA, so that incase if internet via cable modem fails the internet traffic dynamically route via HQsite..? and revert back by itself incase if the cable modem comes back online..?

Please suggest. Thanks in advance.

MS

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
JORGE RODRIGUEZ Mon, 03/24/2008 - 20:26

On 4500 you could have two default routes one with higher AD as your back up default route.

In HQ firewall have your 4500 internal subnets configured for PAT, for outbound internet.

e.i

Ip route 0.0.0.0 0.0.0.0 1 ASA_Firewall_ip

Ip route 0.0.0.0 0.0.0.0 255 HQ_Firewall_IP

As soon your cable modem ISP link is down gateway of last resort for 4500 will be directed to HQ.

Another note, depending how your OSPF topology is, but if HQ network is participating in OSPF and all sites are on the same OSPF domain HQ Firewall can inject downstream its defualt route through default-information originate in fw ospf process, as well as in ASA_cable modem firewall , you could have two default routes dynamically propagated and do not have to configure statics.

HTH

Jorge

fortis123 Tue, 03/25/2008 - 04:40

Hi Jorge,

Thank you for quick reply and suggestion. Please see below...

Ip route 0.0.0.0 0.0.0.0 1 ASA_Firewall_ip

Ip route 0.0.0.0 0.0.0.0 255 HQ_Firewall_IP

will it work..? As the 4500 connects directly to ASA inside interface and has default route to ASA inside IP, (ASA outside has connection to cable modem via static IPs) , even though the cable modem service down, the 4500, sends traffic to ASA inside interface because the interface is up.

Please correct me if I miss some basics about static routes here..:-)

default-information originate :

I had this idea, but thank you shedding point about OSPF areeas.. but HQ & BO are in different areas.

So for this, if I add "default-information originate" on BO ASA and add static default route with AD 200 on 4500 point to HQ rtr - now as the BO ASA configured with static default route to cable modem (route outside 0.0.0.0 0.0.0.0 1.1.1.1 1) , incase if the cable modem service down , will it forward the trffic to HQ..?

please suggest.

Thank you

MS

JORGE RODRIGUEZ Tue, 03/25/2008 - 07:02

MS, the default static routes should work, I will try to lab this out today if I have time, but I believe even though the default route points to an up/up interface in firewall ASA will not forward outbound internet traffic if cable_modem is not longer reachable, thus 4500 second default route would kick in.

With the use of default-information originate in HQ for example if HQ is backbone area 0, a default route will appear as an advertized external link in ospf database in your BO if BO ABR is in different area, I believe a good choice would be default-information originate at both HQ and BO firewalls .

Rgds

Jorge

fortis123 Tue, 03/25/2008 - 12:53

Thank you Jorge.. I know you got what my scenario..but just wanted to give a quick run down...

BO:

4500:

router ospf 100

network 172.16.5.0 0.0.0.3 area 0.0.0.10

network 172.16.10.0 0.0.0.0 area 0.0.0.10

network 172.16.12.0 0.0.0.0 area 0.0.0.10

network 172.16.15.0 0.0.0.0 area 0.0.0.10

!

ip route 0.0.0.0 0.0.0.0 172.16.10.10 name InternetAccess

!

interface gig 4/1

description: gig link to HQ

ip address 172.16.5.1 255.255.255.252

!

ASA:

inside interface IP : 172.16.10.10 /24

(to 4500)

Outside interface IP : 1.1.1.1 /29

(to Interent)

!

route outside 0.0.0.0 0.0.0.0 1.1.1.2 1

!

router ospf 100

network 172.16.10.10 255.255.255.255 area 0.0.0.10

!

HQ end:

router ospf 100

network 172.16.5.0 0.0.0.3 area 0.0.0.10

!

inteface gig 7/1

description : gig to BO

ip address 172.16.5.2 255.255.255.252

!

----------------------------------

So adding on 4500:

ip route 0.0.0.0 0.0.0.0 172.16.5.1 150 name BACKUP_INternet_Path

will works dynamically, incase the cable modem goes down.

Thank you

MS

JORGE RODRIGUEZ Tue, 03/25/2008 - 15:45

MS, thanks for providing more info. I see HQ and BO are both in the same area , if you don't mind I ask, where is area 0? and where does HQ gets a default route from?

Assuming HQ have its own ISP I am sure that there would a firewall facing internet at HQ, if this is the case what I would do is to have HQ asa inside interface participate in OSPF same area 10, in HQ ASA you may have default route static configured but inside interface have it in OSPF area 10 with default-information originate plus using static redistribution, thus default route will get injected downstream. The same principle for BO ASA and OSPF for the inside interface , but you can keep it simple, with two default routes in 4500 . At the HQ router 172.16.5.2 is there a default route here? If there is a gateway of last resort you can just do with the two statics in 4500 like I said before, you have to have both one facing BO firewall inside interface low admin distance and the second with higher AD. One alone will not work because BO ASA inside interface is not injecting default route into 4500 or is it?

Ip route 0.0.0.0 0.0.0.0 172.16.10.10 1 name ASA_inside_interface

ip route 0.0.0.0 0.0.0.0 172.16.5.2 150 name BACKUP_INternet_Path

As long HQ router 172.16.5.2 has a gateway of last resort the backup internet path will work should ASA no longer have internet in BO.

Again, in HQ firewall subnets from BO should be configure for PAT so that internet is accessible..

HTH

Rgds

Jorge

fortis123 Tue, 03/25/2008 - 20:14

Hi Jorge,

Thank you for the explanation and your time. HQ is area'0' and only the gig int connected to BO has been configured for area 10 on HQ core. So HQ has configs ...

_________________________________

network 10.20.11.0 0.0.0.3 area 0.0.0.0

network 10.50.10.0 0.0.0.3 area 0.0.0.10

network 10.60.0.0 0.0.255.255 area 0.0.0.0

network 10.100.20.4 0.0.0.3 area 0.0.0.0

network 10.230.23.0 0.0.0.255 area 0.0.0.0

network 20.93.50.0 0.0.0.63 area 0.0.0.0

-----------------------------------

Also, HQ has default route to ASA inside i/f at HQ.

So as BO ASA not injecting default route in to 4500, as suggested... I will go with

Ip route 0.0.0.0 0.0.0.0 172.16.10.10 1 name ASA_inside_interface

ip route 0.0.0.0 0.0.0.0 172.16.5.2 150 name BACKUP_INternet_Path

Thank you again for your time and suggestions.

regards

MS

fortis123 Tue, 03/25/2008 - 20:31

Sorry Jorge, I just checked by adding the routes on 4500 and 'shutdown' the outside interface on BO ASA. No luck. Not getting internet.

Thank you

MS

JORGE RODRIGUEZ Tue, 03/25/2008 - 20:59

In HQ router can you post the output of show ip route, make sure there is default route in 172.16.5.2, also while BO ASA internet is shut try tracert by ip to yahoo.com [216.109.112.135] and post output of trace. Also make sure HQ firewall is permiting BO subnets for outbound internet.

Jorge

fortis123 Wed, 03/26/2008 - 06:20

HQ router output of show ip route:

O IA 192.168.29.0/24 [110/3] via 192.168.100.3, 3d20h, Vlan171

[110/3] via 192.168.100.67, 3d20h, Vlan172

[110/3] via 192.168.100.131, 3d20h, Vlan173

[110/3] via 192.168.100.195, 3d20h, Vlan174

C 192.168.100.0/26 is directly connected, Vlan171

C 192.168.100.64/26 is directly connected, Vlan172

C 192.168.100.128/26 is directly connected, Vlan173

C 192.168.100.192/26 is directly connected, Vlan174

172.16.5.0/24 [110/2] via , 3d20h, GigabitEthernet7/1

S 10.40.0.0/16 [1/0] via 192.168.100.3

O 172.16.10.0/24 [110/2] via 172.16.5.2, 3d20h, GigabitEthernet 7/1

C 10.40.11.0/30 is directly connected, GigabitEthernet6/5

C 10.60.25.0/24 is directly connected, Vlan25

C 172.16.5.0/30 is directly connected, GigabitEthernet7/1

S* 0.0.0.0/0 [1/0] via 192.168.100.6 -->

HQ ASA Inside Interface

HQ firewall is permiting BO subnets :

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 216.210.67.10

Thank you

MS

JORGE RODRIGUEZ Wed, 03/26/2008 - 09:18

Two things, when you conduct the BO internet shutdown test please trace route to a public IP, if the trace indicates going towards HQ firewall that is good sign I would then suggest looking at DNS, but if trace stops at 172.26.5.2 change default backup route to point to HQ firewall inside interface instead.

no ip route 0.0.0.0 0.0.0.0 172.16.5.2 150 name BACKUP_INternet_Path

ip route 0.0.0.0 0.0.0.0 < HQFW_inside_interface _IP> 150 name BACKUP_INternet_Path

once change is made in BO 4500 while BO internet is down do tracert to a public IP and post output of the trace, if trace indicates hitting HQ firewall then this indicates this works, if this is the case I would suggest to either look into DNS server at BO and/or be more specific in HQ firewall even if they have nat(inside)1 0 0, but try above suggestions first, trace routes from 4500 output is important during test .

Let us know how it works out, if no joy I'll take another approach otherwise.

Rgds

Jorge

fortis123 Sat, 03/29/2008 - 12:52

Hi Jorge,

Sorry.. took long time to run the test, I just did the test again.

1. With two (primary via FW & backup path via gig link in place), The By shutting down the ASA public interface,

"ip route 0.0.0.0 0.0.0.0 172.16.5.2 150 name BACKUP_INternet_Path "

the traffic is going nowhere (waited like 5mins), 4500 still showing the ASA inside interrface as default route destination.

Tracert to google IP from PC times out from gateway(Vlan i/f on 4500).

2. I took out the ASA route from 4500, and added

ip route 0.0.0.0 0.0.0.0 172.16.5.2 name test_INternet_Path

Internet works fine. no drop in ping and I see the other site public ip from whatismyip.com from my PC.

So, I might need to try with wit 'OSPF default information orignate' on ASA and takeout the primary default (leaving the backup path)from 4500.

What do you say...?

Thank you

MS

JORGE RODRIGUEZ Sat, 03/29/2008 - 20:19

MS, I was wandering the outcome of your test and was going to drop a note on testing update..

I had similar scenario very long ago and had worked.. only difference the site e.i BO was in a different ospf area.. perhaps anyone in forum may jump in and comment on it.

I would then try advertizing a default route from the ASA in your branch office, few changes you will need to do but not that bad have asa inside interface participate in same ospf area as 4500 with bk default with a higher AD , have not try it this way but only way to find out is by testing it.

Rgds

Jorge

fortis123 Sat, 03/29/2008 - 20:57

Hi Jorge,

Thank you for sharing your ideas and your valuable time. I just did anotehr quick test...

on 4500: Took out defalut route to ASA inside i/f and that left with...

ip route 0.0.0.0 0.0.0.0 10.50.10.1 150 name INTERNET-BACKUP-PATH

on ASA under OSPF process, I have added:

default-information originate metric 200 metric-type 1

And guess what...it worked. When I shutdown ASA outside i/f, the traffic hit via backup path and the when i/f came up, traffic rerouted with no manual intervention.

with the command the new route in to 4500:

O*E1 0.0.0.0/0 [110/201] via 10.40.35.4, 00:00:02, Vlan35

So, iam trying to understand how exactly the

"default-information originate metric 200 metric-type 1" works (as metric is 200 and backup path AD is 150)... iam wondering why the it is not prefering the paths with AD 150..:-)

I know Iam surely missing some OSPF concept..I need to go through OSPF docs, but if you can shed some light.. that is really great.

Thank you

MS

JORGE RODRIGUEZ Sun, 03/30/2008 - 11:44

MS,this is great news that worked and thank you for updating the test and sharing the outcome.

In reference to configuration BO ASA metric 200 and understanding,well you're not alone,I should say we are sent back to the beginning I include myself in hiting some docs to better understand how ospf/spf operates,also one must understand how ospf architecture is deployed in the company.

My thought is that by dynamically injecting default route downstream from BO-ASA towards 4500 that default route is always preferred even with metric 200.

There are some rules (order) pertaining to ospf routes preference and I think these rules should be consider into your equation , that's according to RFC-2328 which states intra-area routes are 1st than any other learned type of routes. these are the order of OSPF route preference.

1st -intra-area routes, O

2nd interarea routes, O IA

3rd external routes type 1, O E1

4th external routes type 2, O E2

Here is a link for OSPF stuff

http://www.cisco.com/en/US/tech/tk365/tk480/tsd_technology_support_sub-protocol_home.html

also it is good to analyse your OSPF database in each area ABR by show ip ospf database or show ip ospf ? . ospf database will provide current ospf route types with calculated metrics.

[edit] when the BO ISP is NOT shut down issue show ip route and take note of the metrics on the default route and you should see a lower metric and type should be (O)intra-area route. When BO-ASA ISP is shutdown the backup route is noted as (0*E1) type which is consider external route, this proves the OSPF order of route preference.

HTH

Rgds

Jorge

fortis123 Sun, 03/30/2008 - 19:28

Hi Jorge,

I ran the test again and observed closely and noticed an issue. There is another site (that also connected to main site via gig line- another area#) with a PIX at edge and running default-information command with OSPF. So when I enable the defaul-info command at my site, the default route entry on 4500 keeps flapping between my location ASA and the other remote PIX public IP.

I tried changing the metric, but of no use.Anyway, even some how it works, then other site will have same issue..as this command makes the router/PIX as ASBR.I think only one ASBR is allowed in OSPF AS.

Thank you

MS

JORGE RODRIGUEZ Mon, 03/31/2008 - 18:44

Sorry for late reply..busy day for me today..do you recall the exact flapping message? Do you have access to the pix in that other site where there is a pix, if you do look that their ospf default information originate configuration, they are probably have checked off (always advertize the default route), you may want to not checked off this option in BO ASA, only leave as default information originate with metric value 1 and metric type 1.

Where does your configuration stands now on BO site?

Rgds

Jorge

Actions

This Discussion