03-24-2008 07:51 PM - edited 03-03-2019 09:15 PM
Hi All,
Scenario:
SiteA :
1. 4500 with OSPF enabled and static
0.0.0.0 0.0.0.0 10.20.20.5 (ASA inside
IP)
2. ASA also OSPF enabled with network
stmt network 10.20.20.5
255.255.255.255 area x (same area as
4500)and static route 0.0.0.0 0.0.0.0
1.1.1.1 --> cable modem static IP
3. 4500 <--p2p 1gig link --> HQ site via
OSPF. HQ has another big internet pipe.
Is there anyway I can configure 4500 & ASA, so that incase if internet via cable modem fails the internet traffic dynamically route via HQsite..? and revert back by itself incase if the cable modem comes back online..?
Please suggest. Thanks in advance.
MS
03-24-2008 08:26 PM
On 4500 you could have two default routes one with higher AD as your back up default route.
In HQ firewall have your 4500 internal subnets configured for PAT, for outbound internet.
e.i
Ip route 0.0.0.0 0.0.0.0 1 ASA_Firewall_ip
Ip route 0.0.0.0 0.0.0.0 255 HQ_Firewall_IP
As soon your cable modem ISP link is down gateway of last resort for 4500 will be directed to HQ.
Another note, depending how your OSPF topology is, but if HQ network is participating in OSPF and all sites are on the same OSPF domain HQ Firewall can inject downstream its defualt route through default-information originate in fw ospf process, as well as in ASA_cable modem firewall , you could have two default routes dynamically propagated and do not have to configure statics.
HTH
Jorge
03-25-2008 04:40 AM
Hi Jorge,
Thank you for quick reply and suggestion. Please see below...
Ip route 0.0.0.0 0.0.0.0 1 ASA_Firewall_ip
Ip route 0.0.0.0 0.0.0.0 255 HQ_Firewall_IP
will it work..? As the 4500 connects directly to ASA inside interface and has default route to ASA inside IP, (ASA outside has connection to cable modem via static IPs) , even though the cable modem service down, the 4500, sends traffic to ASA inside interface because the interface is up.
Please correct me if I miss some basics about static routes here..:-)
default-information originate :
I had this idea, but thank you shedding point about OSPF areeas.. but HQ & BO are in different areas.
So for this, if I add "default-information originate" on BO ASA and add static default route with AD 200 on 4500 point to HQ rtr - now as the BO ASA configured with static default route to cable modem (route outside 0.0.0.0 0.0.0.0 1.1.1.1 1) , incase if the cable modem service down , will it forward the trffic to HQ..?
please suggest.
Thank you
MS
03-25-2008 07:02 AM
MS, the default static routes should work, I will try to lab this out today if I have time, but I believe even though the default route points to an up/up interface in firewall ASA will not forward outbound internet traffic if cable_modem is not longer reachable, thus 4500 second default route would kick in.
With the use of default-information originate in HQ for example if HQ is backbone area 0, a default route will appear as an advertized external link in ospf database in your BO if BO ABR is in different area, I believe a good choice would be default-information originate at both HQ and BO firewalls .
Rgds
Jorge
03-25-2008 12:53 PM
Thank you Jorge.. I know you got what my scenario..but just wanted to give a quick run down...
BO:
4500:
router ospf 100
network 172.16.5.0 0.0.0.3 area 0.0.0.10
network 172.16.10.0 0.0.0.0 area 0.0.0.10
network 172.16.12.0 0.0.0.0 area 0.0.0.10
network 172.16.15.0 0.0.0.0 area 0.0.0.10
!
ip route 0.0.0.0 0.0.0.0 172.16.10.10 name InternetAccess
!
interface gig 4/1
description: gig link to HQ
ip address 172.16.5.1 255.255.255.252
!
ASA:
inside interface IP : 172.16.10.10 /24
(to 4500)
Outside interface IP : 1.1.1.1 /29
(to Interent)
!
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
!
router ospf 100
network 172.16.10.10 255.255.255.255 area 0.0.0.10
!
HQ end:
router ospf 100
network 172.16.5.0 0.0.0.3 area 0.0.0.10
!
inteface gig 7/1
description : gig to BO
ip address 172.16.5.2 255.255.255.252
!
----------------------------------
So adding on 4500:
ip route 0.0.0.0 0.0.0.0 172.16.5.1 150 name BACKUP_INternet_Path
will works dynamically, incase the cable modem goes down.
Thank you
MS
03-25-2008 03:45 PM
MS, thanks for providing more info. I see HQ and BO are both in the same area , if you don't mind I ask, where is area 0? and where does HQ gets a default route from?
Assuming HQ have its own ISP I am sure that there would a firewall facing internet at HQ, if this is the case what I would do is to have HQ asa inside interface participate in OSPF same area 10, in HQ ASA you may have default route static configured but inside interface have it in OSPF area 10 with default-information originate plus using static redistribution, thus default route will get injected downstream. The same principle for BO ASA and OSPF for the inside interface , but you can keep it simple, with two default routes in 4500 . At the HQ router 172.16.5.2 is there a default route here? If there is a gateway of last resort you can just do with the two statics in 4500 like I said before, you have to have both one facing BO firewall inside interface low admin distance and the second with higher AD. One alone will not work because BO ASA inside interface is not injecting default route into 4500 or is it?
Ip route 0.0.0.0 0.0.0.0 172.16.10.10 1 name ASA_inside_interface
ip route 0.0.0.0 0.0.0.0 172.16.5.2 150 name BACKUP_INternet_Path
As long HQ router 172.16.5.2 has a gateway of last resort the backup internet path will work should ASA no longer have internet in BO.
Again, in HQ firewall subnets from BO should be configure for PAT so that internet is accessible..
HTH
Rgds
Jorge
03-25-2008 08:14 PM
Hi Jorge,
Thank you for the explanation and your time. HQ is area'0' and only the gig int connected to BO has been configured for area 10 on HQ core. So HQ has configs ...
_________________________________
network 10.20.11.0 0.0.0.3 area 0.0.0.0
network 10.50.10.0 0.0.0.3 area 0.0.0.10
network 10.60.0.0 0.0.255.255 area 0.0.0.0
network 10.100.20.4 0.0.0.3 area 0.0.0.0
network 10.230.23.0 0.0.0.255 area 0.0.0.0
network 20.93.50.0 0.0.0.63 area 0.0.0.0
-----------------------------------
Also, HQ has default route to ASA inside i/f at HQ.
So as BO ASA not injecting default route in to 4500, as suggested... I will go with
Ip route 0.0.0.0 0.0.0.0 172.16.10.10 1 name ASA_inside_interface
ip route 0.0.0.0 0.0.0.0 172.16.5.2 150 name BACKUP_INternet_Path
Thank you again for your time and suggestions.
regards
MS
03-25-2008 08:31 PM
Sorry Jorge, I just checked by adding the routes on 4500 and 'shutdown' the outside interface on BO ASA. No luck. Not getting internet.
Thank you
MS
03-25-2008 08:59 PM
In HQ router can you post the output of show ip route, make sure there is default route in 172.16.5.2, also while BO ASA internet is shut try tracert by ip to yahoo.com [216.109.112.135] and post output of trace. Also make sure HQ firewall is permiting BO subnets for outbound internet.
Jorge
03-26-2008 06:20 AM
HQ router output of show ip route:
O IA 192.168.29.0/24 [110/3] via 192.168.100.3, 3d20h, Vlan171
[110/3] via 192.168.100.67, 3d20h, Vlan172
[110/3] via 192.168.100.131, 3d20h, Vlan173
[110/3] via 192.168.100.195, 3d20h, Vlan174
C 192.168.100.0/26 is directly connected, Vlan171
C 192.168.100.64/26 is directly connected, Vlan172
C 192.168.100.128/26 is directly connected, Vlan173
C 192.168.100.192/26 is directly connected, Vlan174
172.16.5.0/24 [110/2] via , 3d20h, GigabitEthernet7/1
S 10.40.0.0/16 [1/0] via 192.168.100.3
O 172.16.10.0/24 [110/2] via 172.16.5.2, 3d20h, GigabitEthernet 7/1
C 10.40.11.0/30 is directly connected, GigabitEthernet6/5
C 10.60.25.0/24 is directly connected, Vlan25
C 172.16.5.0/30 is directly connected, GigabitEthernet7/1
S* 0.0.0.0/0 [1/0] via 192.168.100.6 -->
HQ ASA Inside Interface
HQ firewall is permiting BO subnets :
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 216.210.67.10
Thank you
MS
03-26-2008 09:18 AM
Two things, when you conduct the BO internet shutdown test please trace route to a public IP, if the trace indicates going towards HQ firewall that is good sign I would then suggest looking at DNS, but if trace stops at 172.26.5.2 change default backup route to point to HQ firewall inside interface instead.
no ip route 0.0.0.0 0.0.0.0 172.16.5.2 150 name BACKUP_INternet_Path
ip route 0.0.0.0 0.0.0.0 < HQFW_inside_interface _IP> 150 name BACKUP_INternet_Path
once change is made in BO 4500 while BO internet is down do tracert to a public IP and post output of the trace, if trace indicates hitting HQ firewall then this indicates this works, if this is the case I would suggest to either look into DNS server at BO and/or be more specific in HQ firewall even if they have nat(inside)1 0 0, but try above suggestions first, trace routes from 4500 output is important during test .
Let us know how it works out, if no joy I'll take another approach otherwise.
Rgds
Jorge
03-29-2008 12:52 PM
Hi Jorge,
Sorry.. took long time to run the test, I just did the test again.
1. With two (primary via FW & backup path via gig link in place), The By shutting down the ASA public interface,
"ip route 0.0.0.0 0.0.0.0 172.16.5.2 150 name BACKUP_INternet_Path "
the traffic is going nowhere (waited like 5mins), 4500 still showing the ASA inside interrface as default route destination.
Tracert to google IP from PC times out from gateway(Vlan i/f on 4500).
2. I took out the ASA route from 4500, and added
ip route 0.0.0.0 0.0.0.0 172.16.5.2 name test_INternet_Path
Internet works fine. no drop in ping and I see the other site public ip from whatismyip.com from my PC.
So, I might need to try with wit 'OSPF default information orignate' on ASA and takeout the primary default (leaving the backup path)from 4500.
What do you say...?
Thank you
MS
03-29-2008 08:19 PM
MS, I was wandering the outcome of your test and was going to drop a note on testing update..
I had similar scenario very long ago and had worked.. only difference the site e.i BO was in a different ospf area.. perhaps anyone in forum may jump in and comment on it.
I would then try advertizing a default route from the ASA in your branch office, few changes you will need to do but not that bad have asa inside interface participate in same ospf area as 4500 with bk default with a higher AD , have not try it this way but only way to find out is by testing it.
Rgds
Jorge
03-29-2008 08:57 PM
Hi Jorge,
Thank you for sharing your ideas and your valuable time. I just did anotehr quick test...
on 4500: Took out defalut route to ASA inside i/f and that left with...
ip route 0.0.0.0 0.0.0.0 10.50.10.1 150 name INTERNET-BACKUP-PATH
on ASA under OSPF process, I have added:
default-information originate metric 200 metric-type 1
And guess what...it worked. When I shutdown ASA outside i/f, the traffic hit via backup path and the when i/f came up, traffic rerouted with no manual intervention.
with the command the new route in to 4500:
O*E1 0.0.0.0/0 [110/201] via 10.40.35.4, 00:00:02, Vlan35
So, iam trying to understand how exactly the
"default-information originate metric 200 metric-type 1" works (as metric is 200 and backup path AD is 150)... iam wondering why the it is not prefering the paths with AD 150..:-)
I know Iam surely missing some OSPF concept..I need to go through OSPF docs, but if you can shed some light.. that is really great.
Thank you
MS
03-30-2008 11:44 AM
MS,this is great news that worked and thank you for updating the test and sharing the outcome.
In reference to configuration BO ASA metric 200 and understanding,well you're not alone,I should say we are sent back to the beginning I include myself in hiting some docs to better understand how ospf/spf operates,also one must understand how ospf architecture is deployed in the company.
My thought is that by dynamically injecting default route downstream from BO-ASA towards 4500 that default route is always preferred even with metric 200.
There are some rules (order) pertaining to ospf routes preference and I think these rules should be consider into your equation , that's according to RFC-2328 which states intra-area routes are 1st than any other learned type of routes. these are the order of OSPF route preference.
1st -intra-area routes, O
2nd interarea routes, O IA
3rd external routes type 1, O E1
4th external routes type 2, O E2
Here is a link for OSPF stuff
http://www.cisco.com/en/US/tech/tk365/tk480/tsd_technology_support_sub-protocol_home.html
also it is good to analyse your OSPF database in each area ABR by show ip ospf database or show ip ospf ? . ospf database will provide current ospf route types with calculated metrics.
[edit] when the BO ISP is NOT shut down issue show ip route and take note of the metrics on the default route and you should see a lower metric and type should be (O)intra-area route. When BO-ASA ISP is shutdown the backup route is noted as (0*E1) type which is consider external route, this proves the OSPF order of route preference.
HTH
Rgds
Jorge
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide