Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA VPN/IPsec with multi-area OSPF (PIX Version 7.x or ASA)

Unanswered Question
May 3rd, 2010
User Badges:

Hi All,

Is it possible using ASA without GRE tunnels to pass OSPF traffic and set an OSPF area ID for each VPN peer/neighbor?

I'm testing with an internal lab and worked only with one OSPF area for all VPN peers. Just as the Cisco site example [1]. If I change some area of a neighbor (via 'network' command), they log conflicts between neighbor area and interface area.


[1] http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Mon, 05/03/2010 - 18:48
User Badges:
  • Cisco Employee,

If you use the "neighbor" command, OSPF will work as unicast instead of multicast, and you can pass the routing updates through the IPSec tunnel. If you are trying to use OSPF multicast through the IPSec tunnel, it is not supported as IPSec does not support multicast traffic natively. You would need to have GRE tunnel to encapsulate those multicast traffic prior to being encrypted with IPSec. GRE tunnel is only supported on IOS routers, not on ASA.

rganascim Tue, 05/04/2010 - 04:14
User Badges:

Thanks Halijenn!

But is it possible to set an different OSPF area ID for each 'neighbor' configured? Or just the same OSPF area of the interface?

The idea is that each remote site has its own area id.



Jennifer Halim Tue, 05/04/2010 - 04:25
User Badges:
  • Cisco Employee,

No, you can't have 1 interface belonging to multiple ospf areas.

rganascim Tue, 05/04/2010 - 04:38
User Badges:

Then for each remote site has it own area ID I must use GRE tunnel, between two routers (or another capable ospf/gre device) before the ASA Lan2Lan? Is It right?


This Discussion

Related Content