Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Advertising via OSPF and turning traffic into L2L

Hi.

I'm having difficulty getting a router/L2L VPN scenario to work. I'm not quite sure that it's possible to do what I want to do, but after reading up on OSPF all day I don't see why.

Site A:

ISP has a 1812 router that have two interfaces at my service. FA1 where I get internet access and FA2 where I get access to a few other services they provide me with.

I have a 1811 router that I have connected aganst the ISP router. My FA0 -> ISP FA1 and my FA1 -> ISP FA2. Now I have configured my router so that I can communicate with both internet and I can ping the ISP "service" interface (172.16.3.241).

Site B:

I have a ASA5520 connected to another ISP and I have configured a L2L tunnel between the ASA and my 1811 at Site A.The L2L communiction works just fine. All the networks at Site B that are suppose to be abel to communicate with my router at Site A can do this without any problems.

Now, my goal here is to be able to communicate with networks on the "service" network at Site A from network at Site B. So fare so god.

Now, the ISP at site A want me to advertise my networks using OSPF, and here is where it all stops. I can't seem to get this to work. I have the following configuration in my router at Site A

interface FastEthernet0

description Uplink to ISP WAN connection

ip address 213.xx.xxx.xx2 255.255.xxx.xxx

ip access-group 102 in

no ip route-cache

duplex auto

speed auto

crypto map xxxxx-xxxxx-xxxxx

!

interface FastEthernet1

description Uplink to ISP BusinessTrunk connection

ip address 172.16.3.241 255.255.255.248

duplex auto

speed auto

router ospf 1

router-id 172.16.3.242

max-metric router-lsa

redistribute static subnets

network 172.16.3.240 0.0.0.7 area 0

network 172.16.21.0 0.0.0.255 area 0

network 172.16.52.0 0.0.0.255 area 0

ip route 0.0.0.0 0.0.0.0 213.xxx.xxx.xx1

The 172.16.52.0/24 and 172.16.21.0/24 are networks at the Site B. Right now I can't ping 172.16.3.242 from for example network 172.16.21.0, and the router it self can't ping anything beyond the 172.16.3.242. I do how ever see advertisments from the ISP if I do "sh ip ospf database", but my router dosen't seem to advertise my networks to the ISP's "service" network.

What do I miss here?

Best regards,

Johan Christensson

Everyone's tags (6)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: Advertising via OSPF and turning traffic into L2L

Hello Johan,

the direct link between Site A router and ISP router is not external so this explains why the first output is empty.

As I wrote before you should check if OSPF external routes for Site B IP subnets are generated on the Site A router or not.

you can use the commands that I had suggested before

show ip ospf database external 172.16.52.0

show ip ospf database external 172.16.21.0

I'm afraid both commands have empty output and here comes the issue.

From the point of view of Site A router that has crypto map applied to Fas0 interface you should add two static routes like

ip route 172.16.21.0 255.255.255.0 fas0   ( or use the ISP next-hop on fas0= 213.x.x.241 )

ip route 172.16.52.0 255.255.255.0 fas0 

(or use the ISP next-hop on fas0= 213.x.x.241 it is better)

ip route 172.16.21.0 255.255.255.0  213.x.x.241

ip route 172.16.52.0 255.255.255.0  213.x.x.241

This should give the static routes we need and should allow to advertise the IP subnets in OSPF as external routes

Actually I see only a static default route in your router and this will not be injected in OSPF domain ( redistribute static does not work for default route when redistributing into OSPF)

Hope to help

Giuseppe

18 REPLIES
VIP Super Bronze

Advertising via OSPF and turning traffic into L2L

Is OSPF adjacency up and running with 172.16.3.242 router?

what is the output of

sh ip os ne

Re: Advertising via OSPF and turning traffic into L2L

Hi and thanks for your answer.

As far as I can see I get OSPF information from the ISP's router.

            OSPF Router with ID (172.16.3.242) (Process ID 1)

                Router Link States (Area 0)

Link ID              ADV Router           Age        Seq#               Checksum Link count
172.16.3.242     172.16.3.242         1043        0x80000012     0x00B2A3 1
213.50.145.138  213.xxx.xxx.138      1154       0x800000EC     0x005740 1

                Net Link States (Area 0)

Link ID             ADV Router           Age         Seq#                 Checksum
172.16.3.242    213.xxx.xxx.138       1154        0x80000022      0x004D25

                Type-5 AS External Link States

Link ID              ADV Router           Age              Seq#                 Checksum      Tag
0.0.0.0              213.xxx.xxx.138       1410            0x800000CE      0x00615E      2
88.xxx.xxx.0     213.xxx.xxx.138       1410             0x800000CE      0x007B5C      77
193.xxx.xxx.71  213.xxx.xxx.138       1410             0x800000CE      0x007BB1      77
193.xxx.xxx.224  213.xxx.xxx.138       1410             0x800000CE      0x00F734      77
195.xxx.xxx.192  213.xxx.xxx.138       1410             0x800000CE      0x00E8AE      77
195.xxx.xxx.168  213.xxx.xxx.138       1410             0x800000CE      0x00B42F      77

And so on...

And if I run the command ju suggester, "sh ip ospf neigbor" I get the following output:

Neighbor ID     Pri   State           Dead Time   Address         Interface

213.xxx.xxx.138    1   FULL/DR         00:00:37    172.16.3.242    FastEthernet1

Best regards,

Johan Christensson

Re: Advertising via OSPF and turning traffic into L2L

Anyone that have any ideas?

I have talked to the ISP and they say that everything seems to be ok on there side, but to be on the safe side they cleared there ARP cache.

I have doubled checked that this isen't a feature issue, but as far as I can see OSPF is supported on the 1811 platform running c181x-adventerprisek9-mz.151-4.M1.bin.

Anything else that I should check?

/Johan Christensson

Hall of Fame Super Silver

Advertising via OSPF and turning traffic into L2L

Hello Johan,

from the point of view of Site A router 1811 it cannot advertise in OSPF the IP subnets of site B using the network command under router ospf process because they are not connected interfaces on the router.

>> The 172.16.52.0/24 and 172.16.21.0/24 are networks at the Site B.

These IP subnets are seen from Site A router on the LAN to LAN VPN.

There are two possible options here:

or the OSPF domain extend over the VPN L2L tunnel and the above IP subnets are advertised by the ASA

OR

they are known as static routes on the Site A router and they should be advertised by redistribution of static routes into OSPF domain (that is configured on site A)

In addition to this, the ASA being a firewall may need some tuning of  traffic ACLs to permit communication. Also static routes if used should be updated and ACLs used to decide what to encrypt in case of IPSEC tunnel have to be updated on both ends.

Without seeing the configurations of the C1811 in siteA and of ASA in site B it is difficult to say more.

We see that OSPF adjacency is up on C1811:fas1 as expected.

You should check the OSPF database on C1811 looking for the IP subnets of site B

show ip ospf database external 172.16.52.0

show ip ospf database external 172.16.21.0

(this if the ASA and C1811 don't speak OSPF over the VPN tunnel)

As you see there are some open aspects in this setup.

It would help to know what type of VPN tunnel you have configured (IPSEC I suppose)

Hope to help

Giuseppe

Re: Advertising via OSPF and turning traffic into L2L

HI Guiseppe.

Well, the L2L tunnel between the ASA in site B and the 1811 router in Site A is a IPSec tunnel, but i don't think the problem is here since that communication works as expected. i have also verified the by creating loopback interfaces in the site A router to mimic the networks that I want to communicat with beyone my own network and sucessfully pinged these networks over the L2L VPN tunnel from all the networks involved at Site B.

The problem as I see it, and please correct me if I'm wrong here is that the ISP router don't get my OSPF advertisments from my router in site A. I will try to illustrate the setup below.

ISP Router (Cisco 1812) FA1 <-> My 1811 FA1 = Here is where the OSPF adverts should happen

My 1811 Site A FA0 -> ISP router FA2 -> Internet -> ASA Site B -> Internal subnets

I tryed to minimize the OSPF tabel by just including the network that acctualy exsists as a interface in teh SIte B router so that the OSPF list looked like this:

router ospf 1

router-id 172.16.3.242

redistribute static subnets

network 172.16.3.240 0.0.0.7 area 0

If I have understod this correct i should be abel to ping for example 88.131.xxx.1 directly from my router in Site B, but this times out.This is one of the networks on the ISP's side that I want to be abel to communicate with.

But if I run the following command from the router CLI.

show ip ospf database external 172.16.3.240 (....240 beeing the "physical" network configured on the router, that also is directly connected to the ISP's router) I get the following output:

            OSPF Router with ID (172.16.3.242) (Process ID 1)

But if I do the following:

show ip ospf database external 88.131.198.0

I get the following output:


            OSPF Router with ID (172.16.3.242) (Process ID 1)

                Type-5 AS External Link States

  Routing Bit Set on this LSA in topology Base with MTID 0
  LS age: 400
  Options: (No TOS-capability, DC)
  LS Type: AS External Link
  Link State ID: 88.131.198.0 (External Network Number )
  Advertising Router: 213.50.145.138
  LS Seq Number: 8000015F
  Checksum: 0x57EE
  Length: 36
  Network Mask: /28
        Metric Type: 2 (Larger than any link state path)
        MTID: 0
        Metric: 10
        Forward Address: 0.0.0.0
        External Route Tag: 77

Here is my configuration of the router in Site B:

boot-start-marker

boot-end-marker

!

!

enable secret 5 ******

!

aaa new-model

!

!

aaa group server radius *******

server 172.16.20.12 auth-port 1812 acct-port 1813

!

aaa authentication login ISRAdminAuth group **** local enable

aaa authorization exec default group **** local if-authenticated

!

!

!

!

!

aaa session-id common

!

clock timezone CET 1 0

clock summer-time CEST recurring

crypto pki token default removal timeout 0

!

!

dot11 syslog

ip source-route

!

!

!

!

!

ip cef

ip domain lookup source-interface FastEthernet1

ip domain name manhattan.local

ip name-server 172.16.20.12

ip name-server 172.16.20.13

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

license udi pid CISCO1811/K9 sn *******

username ***-***-****** privilege 15 secret 5 ***

!

!

ip ftp source-interface FastEthernet1

ip tftp source-interface FastEthernet1

ip ssh version 2

!

!

crypto isakmp policy 11

encr aes 256

authentication pre-share

group 5

crypto isakmp key *** address 193.***.***.11

!

!

crypto ipsec transform-set ***-***-IPSec esp-des esp-sha-hmac

!

crypto map ***-***-CMap 11 ipsec-isakmp

set peer 193.***.***.11

set transform-set ***-***-IPSec

match address 120

!

!

!

!

!

interface FastEthernet0

description Uplink to TDC WAN connection

ip address 213.***.***.242 255.255.255.240

ip access-group 102 in

no ip route-cache

duplex auto

speed auto

crypto map ***-***-CMap

!

interface FastEthernet1

description Uplink to ISP BusinessTrunk connection

ip address 172.16.3.241 255.255.255.248

duplex auto

speed auto

!

interface FastEthernet2

no ip address

shutdown

!

interface FastEthernet3

no ip address

shutdown

!

interface FastEthernet4

no ip address

shutdown

!

interface FastEthernet5

no ip address

shutdown

!

interface FastEthernet6

no ip address

shutdown

!

interface FastEthernet7

no ip address

shutdown

!

interface FastEthernet8

no ip address

shutdown

!

interface FastEthernet9

no ip address

!

interface Vlan1

no ip address

!

interface Async1

no ip address

encapsulation slip

!

router ospf 1

router-id 172.16.3.242

redistribute static subnets

network 172.16.3.240 0.0.0.7 area 0

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip route 0.0.0.0 0.0.0.0 213.***.***.241

!

access-list 102 permit udp host 193.***.***.11 any eq 10000

access-list 102 permit udp host 193.***.***.11 any eq non500-isakmp

access-list 102 permit udp host 193.***.***.11 any eq isakmp

access-list 102 permit esp host 193.***.***.11 any

access-list 102 permit ahp host 193.***.***.11 any

access-list 102 permit udp host 172.16.20.13 eq domain any

access-list 102 permit udp host 172.16.20.12 eq domain any

access-list 102 permit tcp host 193.***.***.11 any eq 22

access-list 102 permit ip host 193.***.***.116 any

access-list 102 permit ip host 84.***.***.90 any

access-list 102 permit icmp any any echo-reply

access-list 102 permit icmp any any time-exceeded

access-list 102 permit icmp any any unreachable

access-list 102 deny   ip 10.0.0.0 0.255.255.255 any

access-list 102 deny   ip 172.16.0.0 0.15.255.255 any

access-list 102 deny   ip 192.168.0.0 0.0.255.255 any

access-list 102 deny   ip 127.0.0.0 0.255.255.255 any

access-list 102 deny   ip host 255.255.255.255 any

access-list 102 deny   ip any any log

access-list 120 permit ip 172.16.3.240 0.0.0.7 172.16.20.0 0.0.0.255

access-list 120 permit ip 172.16.3.240 0.0.0.7 172.16.21.0 0.0.0.255

access-list 120 permit ip 172.16.3.240 0.0.0.7 172.16.52.0 0.0.0.255

access-list 120 permit ip 88.131.198.0 0.0.0.255 172.16.20.0 0.0.0.255

access-list 120 permit ip 88.131.198.0 0.0.0.255 172.16.21.0 0.0.0.255

access-list 120 permit ip 88.131.198.0 0.0.0.255 172.16.52.0 0.0.0.255

!

!

!

!

!

!

radius-server **************

!

!

control-plane

!

!

!

line con 0

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

line vty 0 4

session-timeout 60

exec-timeout 60 0

login authentication *************

transport preferred ssh

transport input ssh

!

ntp source FastEthernet1

ntp server 172.16.20.12 prefer

ntp server 172.16.20.13

Best regards,

Johan Christensson

Hall of Fame Super Silver

Re: Advertising via OSPF and turning traffic into L2L

Hello Johan,

the direct link between Site A router and ISP router is not external so this explains why the first output is empty.

As I wrote before you should check if OSPF external routes for Site B IP subnets are generated on the Site A router or not.

you can use the commands that I had suggested before

show ip ospf database external 172.16.52.0

show ip ospf database external 172.16.21.0

I'm afraid both commands have empty output and here comes the issue.

From the point of view of Site A router that has crypto map applied to Fas0 interface you should add two static routes like

ip route 172.16.21.0 255.255.255.0 fas0   ( or use the ISP next-hop on fas0= 213.x.x.241 )

ip route 172.16.52.0 255.255.255.0 fas0 

(or use the ISP next-hop on fas0= 213.x.x.241 it is better)

ip route 172.16.21.0 255.255.255.0  213.x.x.241

ip route 172.16.52.0 255.255.255.0  213.x.x.241

This should give the static routes we need and should allow to advertise the IP subnets in OSPF as external routes

Actually I see only a static default route in your router and this will not be injected in OSPF domain ( redistribute static does not work for default route when redistributing into OSPF)

Hope to help

Giuseppe

Advertising via OSPF and turning traffic into L2L

Thanks for all of your replys.

Well, adding the two following lines, as you suggested, solved the problem:

ip route 172.16.21.0 255.255.255.0 fa0

ip route 172.16.52.0 255.255.255.0 fa0

When I now query the database like.

show ip ospf database external 172.16.21.0

I get a more correct output:


OSPF Router with ID (172.16.3.242) (Process ID 1)

Type-5 AS External Link States

LS age: 801
Options: (No TOS-capability, DC)
LS Type: AS External Link
Link State ID: 172.16.21.0 (External Network Number )
Advertising Router: 172.16.3.242
LS Seq Number: 80000002
Checksum: 0x1FFB
Length: 36
Network Mask: /24
Metric Type: 2 (Larger than any link state path)
MTID: 0
Metric: 20
Forward Address: 0.0.0.0
External Route Tag: 0

And for some reason my router at Site B is abel to ping one of the hosts in the ISP network as expected.

So far so good. Now, it's just the matter of getting the remote networks a Site B to be abel to communicate with the networks at the remote side of the ISP router. I guess this is a completly different question, but in the ASA at site B i added a static route as following:

route outside 88.131.198.0 255.255.255.0 172.16.3.242 1

And as prevously stated I also have added the routes in the site A router. Wouldent this be enough?

Best reagrds,

Johan Christensson

Hall of Fame Super Silver

Advertising via OSPF and turning traffic into L2L

Hello Johan,

good news there has been progress.

>> ASA at site B i added a static route as following:

route outside 88.131.198.0 255.255.255.0 172.16.3.242 1

No, this is not correct and it is not enough.

The IP next-hop has to be the local IP next-hop used by the ASA not the ISP router IP address at Site A.

And you need to update all the involved ACLs ( the one used to decide what traffic has to be encrypted and the ACL on the inside as a minimum)

Hope to help

Giuseppe

Advertising via OSPF and turning traffic into L2L

Ok, then I hade evernything correct before I added the route in the ASA at site B. When I think about it I hade it working before when I emulated the ISP network by creating a few loopback interfaces in the Site A router and pinged from the networks at Site B. So the vpn configuration is correct as far as I can see...

Correct?

/Johan Christensson

Advertising via OSPF and turning traffic into L2L

Had to put this matter aside for a few days, but I have been looking over this during the weekend but I can't seem to get it to work.

The setup is the same as before, now with working OSPF against my ISP. It's the VPN bits that don't work.

On the ASA in Site B I have created a site-to-site tunnel against the router at Site A. I have created a crypto-map containing all the networks in Site B that I want to be abel to communicate with networks in Site A. Asside from the local network at Site A I have also included the Site B ISP service network in the crypto-map. I have also made sure that, for purpose of testing that all the networks in Site A have unrestricted access to the networks in Site B regardnig ACL's in the ASA in Site B. I have also created NAT exeptions for traffic between the networks.

The VPN tunnel configuration at Site A is matching the configuration at Site A. Nedless to say, the crypto map is ofcourse turned around. If I was to create a loopback interface at the router in Site A, matching the IP-adress in the ISP service network that I'm intrested in, i can ping this adress from Site B to A. The router in Site A can ping the address in the ISP service network, but I can't ping the "service address" from Site B. (Ofcourse I remove the loopback interface...)

So, it feels as if there is still something missing in the configuration of the router at Site A, but I don't know what at this point since as far as I can see the VPN connection work as it is suppose to.

What do I miss?

/Johan Christensson

Hall of Fame Super Silver

Re: Advertising via OSPF and turning traffic into L2L

Hello Johan,

if my understanding is correct, when you emulate the ISP service network with a loopback address on site A router, you are able to ping from Site B networks via VPN. So the VPN is fine. And also Site B ASA configuration is fine.

In addition to this, OSPF is now correctly advertising SIte B IP subnets to ISP on service link as you have checked in OSPF database.

I wonder if the ISP has implemented ACLs that allow traffic from Site A only, as  the service was originally intended only for site A.

May you ask to ISP tech stuff if they have any form of traffic control applied to their service?

The reasoning is that the Site A router configuration should be complete now.

However, if you like feel free to post the current configuration ( just remove username/pwds and substitute public IP addresses)

Hope to help

Giuseppe

Re: Advertising via OSPF and turning traffic into L2L

You are correct. If I create a loopback interface in the router at Site A, that emulates the ISP service network eveything seems to work just fine from Site B.

Maby I should explain what I'm doing and why. The reason for all this is that we have moved our datacenter from one cty to another. The problem is that the ISP that we have at Site A (old location) was unable to deliver a connection for a resonabel price at Site B (new location) and we wanted to avoid all the hassel of switching over all the phone numbers to another ISP for now. So, the quick and dirty solution was to create a VPN link between the two locations to get the SIP traffic from Site A to Site B.

Now, as I see it nothing has realy changed from a logical point of view. The IP subnet configured on the FA1 interface of the router at Site B use to be the link network between the ISP router and the ASA firewall, an there has been no changes in the IP-adressing of the internal voice network either. So the TP-cabel has been replaced with a VPN link.

Any how, the config of the router looks like this:

Building configuration...

Current configuration : 7331 bytes
!
! Last configuration change at 01:16:38 CEST Mon Jul 30 2012 by ***

! NVRAM config last updated at 23:09:21 CEST Sun Jul 29 2012 by ***

! NVRAM config last updated at 23:09:21 CEST Sun Jul 29 2012 by ***
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname VOIPGW01-********-*****-SE
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 ***********.
!
aaa new-model
!
!
aaa group server radius RADIUS_AUTH
server 172.16.20.12 auth-port 1812 acct-port 1813
!
aaa authentication login ISRAdminAuth group RADIUS_AUTH local enable
aaa authorization exec default group RADIUS_AUTH local if-authenticated
!
!
!
!
!
aaa session-id common
!
clock timezone CET 1 0
clock summer-time CEST recurring
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3**********0
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3**********0
revocation-check none
rsakeypair TP-self-signed-3**********0
!
!
crypto pki certificate chain TP-self-signed-3*******0
certificate self-signed 01

###############################

        quit
dot11 syslog
!
flow exporter SOHO-NetFlow1
destination 172.16.20.16
source FastEthernet1
output-features
transport udp 2055
export-protocol netflow-v5
!
!
flow monitor SOHO-NetFlow1
record netflow-original
exporter SOHO-NetFlow1
cache timeout active 1
!
ip source-route
!
!
!
!
!
ip cef
ip domain lookup source-interface FastEthernet1
ip domain name manhattan.local
ip name-server 172.16.20.12
ip name-server 172.16.20.13
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1811/K9 sn F***********6
username N***4-****-ISRAdmin privilege 15 secret 5 ******
!
!
ip ftp source-interface FastEthernet1
ip tftp source-interface FastEthernet1
ip ssh version 2
!
!
crypto isakmp policy 11
encr aes 256
authentication pre-share
group 5
crypto isakmp key ************************************ address 193.***.***.11
!
!
crypto ipsec transform-set N***3-***-IPSec esp-des esp-sha-hmac
!
crypto map N***3-***-CMap 11 ipsec-isakmp
set peer 193.***.***.11
set transform-set N****3-***-IPSec
match address 120
!
!
!
!
!
interface FastEthernet0
description Uplink to ISP WAN connection
ip address 213.***.***.242 255.255.255.240
ip access-group 102 in
no ip route-cache
duplex auto
speed auto
crypto map N***3-***-CMap
!
interface FastEthernet1
description Uplink to ISP BusinessTrunk connection
ip address 172.16.3.241 255.255.255.248
duplex auto
speed auto
!
interface FastEthernet2
no ip address
shutdown
!
interface FastEthernet3
no ip address
shutdown
!
interface FastEthernet4
no ip address
shutdown
!
interface FastEthernet5
no ip address
shutdown
!
interface FastEthernet6
no ip address
shutdown
!
interface FastEthernet7
no ip address
shutdown
!
interface FastEthernet8
no ip address
shutdown
!
interface FastEthernet9
no ip address
!
interface Vlan1
no ip address
!
interface Async1
no ip address
encapsulation slip
!
router ospf 1
router-id 172.16.3.242
redistribute static subnets
network 172.16.3.240 0.0.0.7 area 0
network 172.16.21.0 0.0.0.255 area 0
network 172.16.52.0 0.0.0.255 area 0
!
ip forward-protocol nd
no ip http server
ip http secure-server
!
!
ip nat inside source route-map inside_nat0_outbound interface FastEthernet0 overload
ip route 0.0.0.0 0.0.0.0 213.***.***.241

ip route 172.16.21.0 255.255.255.0 FastEthernet0
ip route 172.16.52.0 255.255.255.0 FastEthernet0
!
access-list 102 permit udp host 193.***.***.11 any eq 10000
access-list 102 permit udp host 193.***.***.11 any eq non500-isakmp
access-list 102 permit udp host 193.***.***.11 any eq isakmp
access-list 102 permit esp host 193.***.***.11 any
access-list 102 permit ahp host 193.***.***.11 any
access-list 102 permit udp host 172.16.20.13 eq domain any
access-list 102 permit udp host 172.16.20.12 eq domain any
access-list 102 permit tcp host 193.***.***.11 any eq 22
access-list 102 permit ip host 193.***.***.116 any
access-list 102 permit ip host 46.***.***.180 any
access-list 102 permit ip host 84.****.***.90 any
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip any any log
access-list 110 deny   ip 172.16.3.240 0.0.0.7 172.16.20.0 0.0.0.255
access-list 110 deny   ip 172.16.3.240 0.0.0.7 172.16.21.0 0.0.0.255
access-list 110 deny   ip 172.16.3.240 0.0.0.7 172.16.52.0 0.0.0.255
access-list 110 deny   ip 88.***.***.0 0.0.0.255 172.16.21.0 0.0.0.255
access-list 110 deny   ip 88.***.***.0 0.0.0.255 172.16.52.0 0.0.0.255
access-list 110 permit ip 172.16.3.240 0.0.0.7 any
access-list 120 permit ip 172.16.3.240 0.0.0.7 172.16.20.0 0.0.0.255
access-list 120 permit ip 172.16.3.240 0.0.0.7 172.16.21.0 0.0.0.255
access-list 120 permit ip 172.16.3.240 0.0.0.7 172.16.52.0 0.0.0.255
access-list 120 permit ip 88.***.***.0 0.0.0.255 172.16.21.0 0.0.0.255
access-list 120 permit ip 88.***.***.0 0.0.0.255 172.16.52.0 0.0.0.255
!
!
!
!
route-map inside_nat0_outbound permit 10
match ip address 110
!
snmp-server community netflowtest RW
snmp-server ifindex persist
!
!
radius-server host 172.16.20.12 auth-port 1812 acct-port 1813 key *!
!
control-plane
!
!
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
session-timeout 60
exec-timeout 60 0
login authentication ISRAdminAuth
transport preferred ssh
transport input ssh
!
ntp source FastEthernet1
ntp server 172.16.20.12 prefer
ntp server 172.16.20.13
end

/Johan Christensson

Hall of Fame Super Silver

Re: Advertising via OSPF and turning traffic into L2L

Hello Johan,

I would suggest to configure an outgoing ACL to be applied to Fas1 just to count packets sourced from Site B IP subnets and destinated to service network.

something like

access-list 150 permit ip  host 172.16.21.Z  88.xx.xx.0 0.0.0.255

access-list 150 permit ip 172.16.21.0 0.0.0.255 88.xx.xx.0 0.0.0.255

access-list 150 permit ip 172.16.52.0 0.0.0.255 88.xx.xx.0 0.0.0.255

access-list 150 permit ip any any

int fas1

ip access-group 150 out

This is to check if packets sourced at siteB are effectively sent out the interface Fas1 to the ISP

Note: you may have already performed this test.

As I wrote the Site A router configuration looks like complete and correct now.

Hope to help

Giuseppe

Re: Advertising via OSPF and turning traffic into L2L

Well I did that yesterday, but just for the fun of it I activated the same rule again and got the following result:

Extended IP access list 140
    10 permit ip 172.16.21.0 0.0.0.255 88.xxx.xxx.0 0.0.0.255 (22 matches)
    20 permit ip 172.16.52.0 0.0.0.255 88.xxx.xxx.0 0.0.0.255 (7 matches)
    30 permit ip any any (1 match)

One strange this though is that I created another rule:

Extended IP access list 160

10 permit ip 88.xxx.xxx.0 0.0.0.255 172.16.21.0 0.0.0.255 (1 match)

20 permit ip 88.xxx.xxx.0 0.0.0.255 172.16.52.0 0.0.0.255 (4 matches)

30 permit ip any any (5 matches)

This rule was also applyed to the FA1 interface but with the IN direction. If we assume that the ISP router isen't responding, shoulden't the statistic show 0? The matches in rule position 30 chould be explained by the OSPF updates between the router.

Correct?

/Johan Christensson

Hall of Fame Super Silver

Advertising via OSPF and turning traffic into L2L

Hello Johan,

the two ACLs show that traffic sourced from Site B networks (172.16.21.0/24 and 172.16.52.0/24) is sent to ISP on Fas1, an that some traffic is coming back from ISP sourced from service network and with destination Site B networks.

Your notes about ACL 160 line 30 are correct OSPF hellos hit this  line,

At this point, I would try to perform a test at application layer using VOIP ( if my understanding is correct the link on Fas1 is a SIP trunk).

Hope to help

Giuseppe

Advertising via OSPF and turning traffic into L2L

Well, its quite strange actually.

We know that if I ping something in the ISP service network (yes, it's a SIP trunk) from Site B to Site A, the packages get delivered to the ISP's router and the ISP router sends back, presumably the reply from the device on the ISP side. But if I look in the ASA nothing gets sent back trough the tunnel. But if I ping the router it self, my router from Site B I get a reply and I also se traffic coming back through the tunnel in the ASA.

So, for some reason my router in site A don't seem to send the packages designated for Site B the correct way. A possible explanation could be that the crypto mapping is wrong, but I on the other hand it works when I create a loopback interface emulating the ISP network.

Any VPN gurus that have any idea?

/Johan Christensson

Advertising via OSPF and turning traffic into L2L

FINALY I solved the problem. The key was the "reverse-route static" command in the crypto map statement, so that it looks like this:

crypto map N***3-***-CMap 11 ipsec-isakmp

set peer 193.***.***.11

set transform-set N****3-***-IPSec

match address 120

reverse-route static

This results in that the nesessary routes are created upon the tunnel creation.

Thanks for all the inout along the way!

/Johan Christensson

Hall of Fame Super Silver

Advertising via OSPF and turning traffic into L2L

Hello Johan,

I'm happy you have solved your issue.

The command that you have used is a form of reverse route injection (RRI) as explained in Security Command Reference.

http://www.cisco.com/en/US/docs/ios-xml/ios/security/m1/sec-cr-r2.html#GUID-693630A4-5CD1-48FB-9732-7323206F5981

I wonder if changing the static routes to use an IP next-hop = ISP1 gateway could provide the some results. But probably this RRI is the best tool for your scenario.

Best Regards

Giuseppe

972
Views
5
Helpful
18
Replies
CreatePlease to create content