OSPF default-information originate always with 2 ASA firewalls

csco11049253 · ‎10-26-2008

we have OSPF configured in our network - The complete network is in OSPF Area 0. within Area 0 there are eight class C subnets each, with 4 (class c subnets) each dedicated for two different companies which part of the same group of EST.

The scenario demands 2 ASA firewall connected to different ISPs - I have configured ASA firewall subnets to be part of ospf area 0 and have injected default routes from each firewall into the OSPF domain with "default information originate always" command.

1. Now there are two default routes advertised within the same OSPF domain.

2. I have to configure the first 4 class C subnets to take the route of ASA Firewall 1 to access the Internet and the remaining 4 class C subnets shall take the other default route to access the Internet.

192.168.0.0/22 area 0

192.168.4.0/22 area 0

192.168.5.0/24 area 0

0.0.0.0 0.0.0.0 192.168.5.50

0.0.0.0 0.0.0.0 192.168.5.100

*192.168.5.50 is the inside interface of firewall 1 & 192.168.5.100 is the inside interface of firewall 2.

Task

-----

source 192.168.0.0/22 shall take 0.0.0.0 0.0.0.0 192.168.5.50 &

Source 192.168.4.0/22 shall take 0.0.0.0 0.0.0.0 192.168.5.100

I would appreciate any suggestion on how to configure PBR in such a scenario.

Thanks & Regards,

JORGE RODRIGUEZ · ‎10-26-2008

If you have a L3 switch or router behind ASA's you can make it simple, probably something like this with this suggestion, im sure there may be other suggestions by others, and perhaps knowing what routing product you have behind asa's would also help.

in router or l3 switch behind firewalls do the policy route there.

route-map outbound_fw_1 permit 10

description outbound_traffic Via ISP_1

match ip address 1

set ip default next-hop 192.168.5.50

route-map outbound_fw_2 permit 20

description outbound_traffic Via ISP_2

match ip address 2

set ip default next-hop 192.168.5.100

interface vlan (XXX)

ip address 192.168.0.X 255.255.252.0

ip policy route-map outbound_fw_1

interface vlan (YYY)

ip address 192.168.4.Y 255.255.252.0

ip policy route-map outbound_fw_2

this acl will cause source nets 0,1,2 and 3 go via fw1

access-list 1 permit 192.168.0.0 0.0.3.255 log

and this acl will cause source nets 4,5,6 and 7 go via fw2

access-list 2 permit 192.168.4.0 0.0.3.255 log

in asa fw_1

global (outside) 1 interface

global (outside) 2

nat (inside) 2 192.168.0.0 255.255.252.0

nat (inside) 1 0 0

in asa fw_2

global (outside) 1 interface

global (outside) 2

nat (inside) 2 192.168.4.0 255.255.252.0

nat (inside) 1 0 0

HTH

Jorge

Jorge Rodriguez

csco11049253 · ‎10-27-2008

HI Jorge,

Thanks for your valuable feedback..

I have one more complexity in our network which is...

The subnets specified earlier for PBR are sourced from Dist switches.. for ex.

192.168.0.0/22 area 0 ->Dist1->core1

192.168.3.0/22 area 0 ->Dist2->core1

The connectivity between dist & core is L3 with full redundancy and finally the subnet 192.168.50.0/24 is a SVI configured on core which connects both the firewalls with the IPs I have specified earlier.

Now the issue is that the subnets marked for PBR are learnt

by OSPF on the core, the same subnets shall have to be policy based routed.

Here I am not sure whether on which interface I shall apply Route-map policy??

I have four /30 subnets providing connectivity between Dist & Core.

Your advise is highly appreciated.

Thanks a lot,

Syed

JORGE RODRIGUEZ · ‎10-27-2008

Syed,

Can you provide diagramâ€¦ If I understand correctly what is behind ASA1 and ASA2 is Core1 router, Dist1 and Dist2 switches have

192.168.0.0/22 192.168.4.0/22 SVI presumably doing HSRP ? ,if so the pbr should be applied on the SVIs in each dist1 and dist2 switches, you do not need to apply bpr in L3 links nor in the core because the target subnets are in the distribution switches.

prb simply dictates a next hop router or a defualt route to be taken for a particular SVI or hosts from that svi.

you could test as follows without affecting the whole subnet. Take a PC from 192.168.0.0/22 and give it an IP address of 192.168.0.50/22 for example this way you can test prb with only one host as supose to the whole subnet, do the pbr example I gave in my previous post but for the accless list 1 do as follows.

dist1 example

route-map outbound_fw_1 permit 10

description outbound_traffic Via ISP_1

match ip address 1

set ip default next-hop 192.168.5.50

interface vlan (XXX)

ip address 192.168.0.XZ 255.255.252.0

ip policy route-map outbound_fw_1

access-list 1 permit 192.168.0.50 log

dist2 example

route-map outbound_fw_1 permit 10

description outbound_traffic Via ISP_1

match ip address 1

set ip default next-hop 192.168.5.50

interface vlan (XXX)

ip address 192.168.0.XY 255.255.252.0

ip policy route-map outbound_fw_1

access-list 1 permit 192.168.0.50 log

then do a tracert from the PC to note path to take which should be 192.168.5.50 which is inside interface of FW1 , provided you allow outbund traceroute through the firewalls, also make sure ASA1 nats 192.168.0.0/22 network.

Rgds

Jorge

Jorge Rodriguez