OSPF on ASA and IOS

ukaszquz · ‎10-20-2017

Hello,

I configured the VPN S2S on ASA 5508X (9.6) and IOS Cisco 881. The VPN is working. Between devices is internet connection. Now i try configure the OSPF between the devices, and every time i can not set the OSPF neighbors. Can you help me? Please :)

On IOS:

interface FastEthernet4
 ip address 195.150.XX.XX 255.255.255.248
 description Access to OUTSIDE
 no ip redirects
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 ip ospf network point-to-point
 duplex auto
 speed auto
 no cdp enable
 crypto map outside_map
!
router ospf 100
 router-id 12.12.12.12
 network 10.1.20.10 0.0.0.0 area 0
 network 10.10.98.0 0.0.0.255 area 0
 network 195.150.XX.XX 0.0.0.7 area 0
 neighbor 213.216.XXX.XXX

Result:

sh ip ospf interface
Loopback10 is up, line protocol is up
  Internet Address 10.1.20.10/32, Area 0, Attached via Network Statement
  Process ID 100, Router ID 12.12.12.12, Network Type LOOPBACK, Cost: 1
  Topology-MTID    Cost    Disabled    Shutdown      Topology Name
        0           1         no          no            Base
  Loopback interface is treated as a stub Host
FastEthernet4 is up, line protocol is up
  Internet Address 195.150.XX.XX/29, Area 0, Attached via Network Statement
  Process ID 100, Router ID 12.12.12.12, Network Type POINT_TO_POINT, Cost: 1
  Topology-MTID    Cost    Disabled    Shutdown      Topology Name
        0           1         no          no            Base
  Transmit Delay is 1 sec, State POINT_TO_POINT
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:00
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 1/2/2, flood queue length 0
  Next 0x0(0)/0x0(0)/0x0(0)
  Last flood scan length is 0, maximum is 0
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 0, Adjacent neighbor count is 0
  Suppress hello for 0 neighbor(s)

On ASA

interface GigabitEthernet1/1
 duplex full
 nameif outside
 security-level 0
 ip address 213.216.XXX.XXX 255.255.255.248 
 ospf network point-to-point non-broadcast
!
route outside 0.0.0.0 0.0.0.0 213.216.XXX.XXX 1
router ospf 100
 router-id 9.9.9.9
 network 10.226.156.0 255.255.255.0 area 0
 network 213.216.XXX.XXX 255.255.255.248 area 0
 neighbor 195.150.XX.XX interface outside
 log-adj-changes
!

sh ospf interface 

outside is up, line protocol is up  
  Internet Address 213.216.XXX.XXX mask 255.255.255.248, Area 0 
  Process ID 100, Router ID 9.9.9.9, Network Type POINT_TO_POINT, Cost: 10
  Transmit Delay is 1 sec, State POINT_TO_POINT
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 0:00:04
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 2/2, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 0, maximum is 0
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 0, Adjacent neighbor count is 0 
  Suppress hello for 0 neighbor(s)

sh ospf neighbor 
Neighbor ID     Pri   State           Dead Time   Address         Interface
            N/A   0   DOWN/  -           -        195.150.XX.XX   outside

Flavio Miranda · ‎10-20-2017

Hello @ukaszquz

You should use point-to-point non-broadcast and same-security-traffic permit intra-interface commands.

But probably your bigger problem is NAT. Try to create a NET exempt for OSPF traffic and interfaces.

-If I helped you somehow, please, rate it as useful.-

Georg Pauwen · ‎10-22-2017

Hello,

it used to be (and I am not sure if that has changed in the meantime) that multicast traffic (which OSPF uses) cannot be sent with IPSec unless you use a GRE tunnel, or a VTI (which eliminates the need for crypto maps)...

Can you try and configure a VTI and check if that works with OSPF ?

ukaszquz · ‎11-03-2017

I checked the configuration on ASA and on ASA i have hello massage to neighbor:

OSPF: Send hello to 185.75.3.XXX area 10 on outside from 213.216.110.XXX
OSPF: Send hello to 185.75.3.XXX area 10 on outside from 213.216.110.XXX

On IOS router C881 every time i have hello to multicast:

Nov  3 09:10:20.111: OSPF-20 HELLO NV0: Send hello to 224.0.0.5 area 10 from 0.0.0.0
Nov  3 09:10:29.403: OSPF-20 HELLO NV0: Send hello to 224.0.0.5 area 10 from 0.0.0.0
Nov  3 09:10:38.471: OSPF-20 HELLO NV0: Send hello to 224.0.0.5 area 10 from 0.0.0.0
Nov  3 09:10:47.951: OSPF-20 HELLO NV0: Send hello to 224.0.0.5 area 10 from 0.0.0.0

On IOS my configuration is:

inf fe4 
ip address 185.75.3.XXX 255.255.255.192
 ip nat outside
 ip virtual-reassembly in
 ip ospf network point-to-multipoint non-broadcast
 ip ospf dead-interval 40
 ip ospf hello-interval 10
 duplex auto
 speed auto
 no cdp enable
 crypto map outside_map

router ospf 20
 router-id 12.12.12.12
 network 185.75.3.XXX 0.0.0.0 area 10
 neighbor 213.216.110.XXX

How can i change the send hello by unicast from router to the neighbor?

Thank you :)

paul driver · ‎11-03-2017

Hello

You ospf network types need to be non-broadcast as they dont support multicast and then you'll need to specify the unicast peer in the ospf process

inx/x
ip ospf network non-broadcast

router ospf 1
neigbour x.x.x.x

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

ukaszquz · ‎11-03-2017

Hi,

I changed the int to ip ospf network non-broadcast
and the same:

Nov  3 11:16:50.270: OSPF-20 HELLO NV0: Send hello to 224.0.0.5 area 10 from 0.0.0.0
Nov  3 11:16:59.530: OSPF-20 HELLO NV0: Send hello to 224.0.0.5 area 10 from 0.0.0.0

paul driver · ‎11-03-2017

Hello

Did you doe this on both sides of the peering and did you specify neigbour x.x.x. in the OPSF process?

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

ukaszquz · ‎11-03-2017

Hi,

Yes, i did set it on both sites: ASA and router:

ASA:

interface GigabitEthernet1/1
 duplex full
 nameif outside
 security-level 0
 ip address 213.216.110.XXX 255.255.255.248 
 ospf network point-to-point non-broadcast

router ospf 20
 router-id 11.11.11.11
 network 213.216.110.XXX 255.255.255.255 area 10
 neighbor 185.75.3.XXX interface outside
 log-adj-changes

Router:

interface FastEthernet4
 ip address 185.75.3.XXX 255.255.255.192
 ip nat outside
 ip virtual-reassembly in
 ip ospf network non-broadcast
 ip ospf dead-interval 40
 ip ospf hello-interval 10
 duplex auto
 speed auto
 no cdp enable
 crypto map outside_map

router ospf 20
 router-id 12.12.12.12
 network 185.75.3.XXX 0.0.0.0 area 10
 neighbor 213.216.110.XXX

Tinashe Ndhlovu · ‎11-03-2017

You are trying to do the impossible. You can only have OSPF neighbourships when the endpoints are in the same network and have the same mask. (Although I did read an article about some PPP and unumbered IP that worked but even the author was doing this for research and testing)

you need to set up a GRE tunnel, add those tunnel interfaces to OSPF and create the neighbourship. But your current set up will not work. You cannot have an OSPF Neibhouship over a routed network as you trying to.. use tunnels [Edited]