OSPF default-information originate always with 2 ASA firewalls

Unanswered Question
Oct 26th, 2008
User Badges:

we have OSPF configured in our network - The complete network is in OSPF Area 0. within Area 0 there are eight class C subnets each, with 4 (class c subnets) each dedicated for two different companies which part of the same group of EST.


The scenario demands 2 ASA firewall connected to different ISPs - I have configured ASA firewall subnets to be part of ospf area 0 and have injected default routes from each firewall into the OSPF domain with "default information originate always" command.


1. Now there are two default routes advertised within the same OSPF domain.

2. I have to configure the first 4 class C subnets to take the route of ASA Firewall 1 to access the Internet and the remaining 4 class C subnets shall take the other default route to access the Internet.


192.168.0.0/22 area 0

192.168.4.0/22 area 0

192.168.5.0/24 area 0

0.0.0.0 0.0.0.0 192.168.5.50

0.0.0.0 0.0.0.0 192.168.5.100


*192.168.5.50 is the inside interface of firewall 1 & 192.168.5.100 is the inside interface of firewall 2.


Task

-----

source 192.168.0.0/22 shall take 0.0.0.0 0.0.0.0 192.168.5.50 &

Source 192.168.4.0/22 shall take 0.0.0.0 0.0.0.0 192.168.5.100


I would appreciate any suggestion on how to configure PBR in such a scenario.


Thanks & Regards,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Sun, 10/26/2008 - 11:30
User Badges:
  • Green, 3000 points or more

If you have a L3 switch or router behind ASA's you can make it simple, probably something like this with this suggestion, im sure there may be other suggestions by others, and perhaps knowing what routing product you have behind asa's would also help.


in router or l3 switch behind firewalls do the policy route there.


route-map outbound_fw_1 permit 10

description outbound_traffic Via ISP_1

match ip address 1

set ip default next-hop 192.168.5.50


route-map outbound_fw_2 permit 20

description outbound_traffic Via ISP_2

match ip address 2

set ip default next-hop 192.168.5.100




interface vlan (XXX)

ip address 192.168.0.X 255.255.252.0

ip policy route-map outbound_fw_1


interface vlan (YYY)

ip address 192.168.4.Y 255.255.252.0

ip policy route-map outbound_fw_2



this acl will cause source nets 0,1,2 and 3 go via fw1

access-list 1 permit 192.168.0.0 0.0.3.255 log



and this acl will cause source nets 4,5,6 and 7 go via fw2

access-list 2 permit 192.168.4.0 0.0.3.255 log



in asa fw_1

global (outside) 1 interface

global (outside) 2

nat (inside) 2 192.168.0.0 255.255.252.0

nat (inside) 1 0 0


in asa fw_2

global (outside) 1 interface

global (outside) 2

nat (inside) 2 192.168.4.0 255.255.252.0

nat (inside) 1 0 0


HTH

Jorge

csco11049253 Mon, 10/27/2008 - 10:24
User Badges:

HI Jorge,


Thanks for your valuable feedback..

I have one more complexity in our network which is...

The subnets specified earlier for PBR are sourced from Dist switches.. for ex.


192.168.0.0/22 area 0 ->Dist1->core1

192.168.3.0/22 area 0 ->Dist2->core1


The connectivity between dist & core is L3 with full redundancy and finally the subnet 192.168.50.0/24 is a SVI configured on core which connects both the firewalls with the IPs I have specified earlier.


Now the issue is that the subnets marked for PBR are learnt

by OSPF on the core, the same subnets shall have to be policy based routed.


Here I am not sure whether on which interface I shall apply Route-map policy??


I have four /30 subnets providing connectivity between Dist & Core.


Your advise is highly appreciated.


Thanks a lot,

Syed

JORGE RODRIGUEZ Mon, 10/27/2008 - 20:05
User Badges:
  • Green, 3000 points or more

Syed,


Can you provide diagram… If I understand correctly what is behind ASA1 and ASA2 is Core1 router, Dist1 and Dist2 switches have

192.168.0.0/22 192.168.4.0/22 SVI presumably doing HSRP ? ,if so the pbr should be applied on the SVIs in each dist1 and dist2 switches, you do not need to apply bpr in L3 links nor in the core because the target subnets are in the distribution switches.


prb simply dictates a next hop router or a defualt route to be taken for a particular SVI or hosts from that svi.


you could test as follows without affecting the whole subnet. Take a PC from 192.168.0.0/22 and give it an IP address of 192.168.0.50/22 for example this way you can test prb with only one host as supose to the whole subnet, do the pbr example I gave in my previous post but for the accless list 1 do as follows.


dist1 example


route-map outbound_fw_1 permit 10

description outbound_traffic Via ISP_1

match ip address 1

set ip default next-hop 192.168.5.50


interface vlan (XXX)

ip address 192.168.0.XZ 255.255.252.0

ip policy route-map outbound_fw_1



access-list 1 permit 192.168.0.50 log


dist2 example


route-map outbound_fw_1 permit 10

description outbound_traffic Via ISP_1

match ip address 1

set ip default next-hop 192.168.5.50


interface vlan (XXX)

ip address 192.168.0.XY 255.255.252.0

ip policy route-map outbound_fw_1


access-list 1 permit 192.168.0.50 log



then do a tracert from the PC to note path to take which should be 192.168.5.50 which is inside interface of FW1 , provided you allow outbund traceroute through the firewalls, also make sure ASA1 nats 192.168.0.0/22 network.


Rgds

Jorge







Actions

This Discussion