OSPF with ASA, PIX and multiple spokes

Unanswered Question
Apr 25th, 2008

Hello, I'm looking for suggestions on how best to implement dynamic routing (ospf) in the following scenario:

1. Two 'hub' sites (I'll call them A & B)

2. Site A has an ASA 5520, B has a PIX515

3. Approx 60 spoke sites mainly using 857s with IPSec back to the ASA.

4. The two hub sites are connected via fibre (3560 switches). Each site is in a different subnet.

One requirement is to have the spoke sites fail-over to the PIX at site B if they cannot reach the ASA.

The other requirement is to run OSPF to achieve any-any comms between all sites.

The ASA/PIX don't support GRE termination or DMVPN so those two are out?

RRI might work and then define static ospf neighbours between the ASA and PIX or use multicast routing?

Or should we ditch the lot and go for MPLS throughout?

Any suggestions welcome, I hope this is enough info to understand, if not please let me know and I'll post more.

Thanks,

Dave

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
smalkeric Fri, 05/02/2008 - 06:37

The security appliance can run two processes of OSPF protocol simultaneously, on different sets of interfaces. You might want to run two processes if you have interfaces that use the same IP addresses (NAT allows these interfaces to coexist, but OSPF does not allow overlapping addresses). Or you might want to run one process on the inside, and another on the outside, and redistribute a subset of routes between the two processes. Similarly, you might need to segregate private addresses from public addresses.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ip.html#wp1094564

tj.mitchell Wed, 05/07/2008 - 10:08

You can configure GRE tunneling to the 3560 switches, then from there you can run OSPF or EIGRP to your remote locations. Also, this way you won't need to change the configuration on the firewalls to support interface routing across the same security levels.

So terminate your IPSec tunnels on the firewalls and the GRE tunnels on the 3560 switches. This will fix your problem..

Dave Lewis Wed, 05/07/2008 - 23:44

Many thanks for your suggestions. I like the idea of using the 3560's as they're existing kit. Looking at the feature navigator it looks like the 3560's can't do nhrp and therefore we'd have to create gre/ipsec tunnels from each site to each site?

I've been thinking about this some more over the last few days and I'm thinking it would be easier just to get a couple of 2851s to act as the active and backup hubs in a dmvpn? In fact, we already have one at one hub site.

That way the stubs could bring up a tunnel without going through the hub when they need to do voip (in the future).

I appreciate the help and suggestions, if only real life was as neat and tidy as in Cisco's books!

Actions

This Discussion