asa5510, ospf md5 authentication

Unanswered Question
Jun 2nd, 2009

I have ospf on a 5510 active on the outside and inside interfaces both in ospf 1.

The outside interface is utilizing ospf for our failover scenario.

I am looking to implement md5 on the asa and inside routers.

My question is,

If I implement the md5 on the outside interface, does it set the authentication on all interfaces, or do I need to set each seperately?

I am concerned about loosing connectivity momentarily as we have an application from DMZ to inside that does not like to have the sockets hung open, and does not easily recover.

Can I globally set the MD5 authentication on all interfaces at the same time?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
JORGE RODRIGUEZ Tue, 06/02/2009 - 16:07

If I implement the md5 on the outside interface, does it set the authentication on all interfaces, or do I need to set each seperately?

Hi Richard,

MD5 Authentication is per interface, whichever ASA interface is OSPF peering with is where you apply MD5, if your inside interface runs ospf process and peers with an inside router, the MD5 authentication is set in the INSIDE interface

Can I globally set the MD5 authentication on all interfaces at the same time?

As far as I know this cannot be setup globally but per interfaces. Technically you can set the MD5 authetication in all other interfaces on the ASA even if there is no OSPF peering on other interfaces but this will provide another layer of security in preventing unautorized devices from peering to your ASA ospf routing.

you will have routing hiccup when implementing message digest MD5 authenticaion, when you enter this config in ASA ospf will lose peering thus your dynamic routing is disrupted until you enter MD5 authetication config in router peering with ASA , then ospf adjecency will form again, best to do your implementation during non production hours.. this is simple implementation but still have to be carefull.

Regards

wilson_1234_2 Tue, 06/02/2009 - 17:24

Thanks jorge,

I could put static routes for the necessary subnets, then just remove them once the md5 config is complete.

JORGE RODRIGUEZ Tue, 06/02/2009 - 19:10

Richard, yes you could do static routes which will take precedance, did not think of it, as long the inside source is reachable through inside router. When doing static you can always confirm in router by doing show ip route and see the route installed in routing table as (S), the same in ASA.

Regards

Actions

This Discussion