Routing on the ASA – c

OSPF
KHAWAR BUTT
CCIE # 12353 [R/S, SECURITY, SP, DC, VOICE, STORAGE & CCDE]
Overview
 Configuring OSPF
 Configuration Commands
 OSPF Authentication c

 Configuration OSPF Authentication

 Verification Commands
 Lab Configuration
Configuring OSPF
 All Routing Protocols are enabled by using the “Router” command.

 In order to enable OSPF, you use the “Router OSPF XX” command where the “XX” is the
process ID. Process ID is locally significant and
c does not need to match the remote router.

 OSPF routers are grouped into a logical entity known as an Area. In our examples, we are
going to use a single area, Area 0.

 OSPF router’s are identified by using a “IP Address” like identifier known as the router id. It
can be configured manually using the Router-ID command under the routing process.

Router OSPF 1
router-id 1.1.1.1
Configuration Commands
 Network Command is enable a Routing Protocol on an interface.

 By Enabling the routing protocol under the interface, it will take the following 2 actions:
• 1. It will allow the router to send and receive OSPF updates on that interface.
• 2. It will send/advertise this interface network on otherc OSPF enabled interfaces.

 In OSPF, the network command has to be used with a wild card mask. You can enable a major network, which
will enable OSPF on all interfaces with that major network including subnets. You need to specify the area that
this/these networks belong to.

 You enable OSPF on all the directly connected interfaces.

Router ospf 1
router-id 1.1.1.1
Network 10.0.0.0 255.0.0.0 area 0
Network 192.168.4.0 255.255.255.0 area 0
OSPF Authentication
 Authentication allows you to validate the updates are being sent from a
trusted source.

c
 OSPF authentication can be done by using Clear Text Authentication or
MD5.

 Clear Text authentication sends the password along with the Update. The
password can be seen if someone runs a sniffer on the network.

 MD5 hashes the password. It is the preferred mechanism for

authentication. The password is not sent in the clear.
Configuring OSPF Authentication
 Both the authentication mode and the Key configuration is directly done
under the interface for a router as well.

c
 You do have the ability to specify the authentication mode under the
Routing process but the key needs to be specified under the interface.

 This is applicable for both the Routers and the Firewall.

Configuring OSPF Authentication
 Clear Text Authentication on the Routers
Interface E 0/0
ip ospf authentication
ip ospf authentication-key cisco123 c

 Clear Text Authentication on the ASA

Interface E 0/0
ospf authentication
ospf authentication-key cisco123
Or
Router ospf 1
area 0 authentication
Interface E 0/0
ospf authentication-key cisco123
Configuring OSPF Authentication
 MD5 Authentication on the Routers
Interface E 0/0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco123 c
Or
Router ospf 1
area 0 authentication message-digest
Interface E 0/0
ip ospf message-digest-key 1 md5 cisco123

 Clear Text Authentication on the ASA

Interface E 0/0
ospf authentication message-digest
ospf message-digest-key 1 md5 cisco123
Verification Commands
 Show run router - Displays the running config for a routing protocol.
 Show Route – Displays the routing table.
 Ping – Verifies connectivity. c
Lab Configuration
10.2.2.0/24
R2 199.1.1.0/24
200.1.1.0/24

E0/0 (.2)

192.1.20.0/24 Outside
c
ASA FW G0/0 (.10)
R4 R3
192.168.4.0/24 DMZ-4 192.168.3.0/24 DMZ-3
E0/0 (.4) G0/3 (.10) G0/2 (.10) E0/0 (.3)

10.4.4.0/24 G0/1 (.10)

10.3.3.0/24

10.11.11.0/24 Inside

E0/0 (.1)

E0/1 (.1)
10.1.1.0/24
10.20.20.0/24
10.10.10.0/24 R1
Lab Configuration
 This lab builds on the Previous Lab (EIGRP)

 Clear all routing configuration by using the “Clear configure router” command. Also, use the
“No router eigrp 100” command on the routers to disable EIGRP.
c
 Configure OSPF in process ID 1 on all the routers.

 Make sure all 10.X.X.X networks are reachable from the ASA. Use Area 0 for all networks.

 Configure Clear Text Authentication using a key ID of 1 and Key string of cisco123 between the
ASA and R3.

 Configure MD5 Authentication using a key ID of 1 and Key string of cisco555 between ASA and
R2.
Lab Configuration
ASA

Clear Configure router

!
Router ospf 1
router-id 10.10.10.10 c
network 192.1.20.0 255.255.255.0 area 0
network 10.11.11.0 255.255.255.0 area 0
network 192.168.3.0 255.255.255.0 area 0
network 192.168.4.0 255.255.255.0 area 0
!
Interface Gig 0/0
ospf authentication message-digest
ospf message-digest-key 1 md5 cisco555
!
Interface Gig 0/2
ospf authentication
ospf authentication-key cisco123
Lab Configuration
R1 R2

No Router eigrp 100 No Router eigrp 100

Router ospf 1 Router cospf 1
router-id 1.1.1.1 router-id 2.2.2.2
network 10.0.0.0 0.255.255.255 area 0 network 10.2.2.0 0.0.0.255 area 0
network 192.1.20.0 0.0.0.255 area 0
!
Interface E0/0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5
cisco555
Lab Configuration
R3 R4

No Router eigrp 100 No Router eigrp 100

Router ospf 1 Router cospf 1
router-id 3.3.3.3 router-id 4.4.4.4
network 10.3.3.0 0.0.0.255 area 0 network 10.4.4.0 0.0.0.255 area 0
network 192.168.3.0 0.0.0.255 area 0 network 192.168.4.0 0.0.0.255 area 0
!
Interface E0/0
ip ospf authentication
ip ospf authentication-key cisco123
Lab Configuration
 Ping 10.2.2.2 to verify the connectivity

 Ping 10.1.1.1, 10.10.10.1 & 10.20.20.1 behind R1.

 Ping 10.3.3.3 behind R3. c

 Ping 10.4.4.4 behind R4.
Whiteboard