Mittwoch, 8. April 2009

EN - Task 2.1 - Basic OSPF routing between router and ASA

This is the initial configuration from where we will start to deploy our scenario. We´ve got 3 router and one PIX, this pix is doing the uplink to the Internet.

As mentioned earlier this is a scheme that has been slightly changed to fit into this blog. Both inner and outer core routers are not only Cisco routers, as well as the used firewall is in the real world no ASA or PIX. Since we are focusing on Cisco this facts have been ignored and we stick to Cisco routers, PIXs and ASAs.
In this example the inner core routing network is represented by one 3660 router running IOS 12.3.26 The outer core routing network consist of 2x 3660 routers also running IOS 12.3.26. All 3660 got 2 additional Fast Ethernet Interfaces installed. Finally the firewall is a Cisco PIX 252 running 7.2.4.

Between the routers their are transfer networks, just big enough to hold 2 IP addresses, this means we use a 255.255.255.252 (/30)mask for those networks. All connections between inner and outer core as well as within the outer core are located in the network 10.0.0.0 255.255.0.0. Connections leaving the core network are usually 10.1.0.0 255.255.0.0 most times this is used for links to the edge devices like the PIX and later on to connect the VPN edge routers.

Attached to the inner core router is the network 172.16.0.0 /24 this network holds the customers servers like the Cisco ACS (version 4.2) an MS Active Directory Server (Server 2003)with a certification authority configured as well as a free radius server. All Servers will be used later for the VPN User configuration. But this will be important later.


So we´ve got 3 routers and a PIX. Where to start? Well we start with common tasks configuration of hostnames, domain names and interfaces. I´ll just post the changes I´ve made, no defaults included.


2.1.1 Basic Configuration including Hostname, Domainname, NTP Settings and IP Interfaces on Routers and PIX /ASA Firewalls

Router for the inner core area - R_Inner_Core

! Hostname and Domain configuration
! =================================
hostname R_Inner_Core
ip domain name Task2.local
!
! No hostname lookup for routers
! ==============================
no ip domain lookup
!
! Interface configuration
! =======================
interface Loopback0
description ### Loop 0 for MGMT ###
ip address 10.99.99.1 255.255.255.255
!
interface FastEthernet0/0
description ### Uplink R_Outer_Core_1 ###
ip address 10.0.0.1 255.255.255.252
full-duplex
speed 100
no shutdown
!
interface FastEthernet0/1
description ### Uplink R_Outer_Core_2 ###
ip address 10.0.0.5 255.255.255.252
full-duplex
speed 100
no shutdown
!
interface FastEthernet1/0
description ### Uplink to internet gateway PIX ###
ip address 10.0.0.13 255.255.255.252
full-duplex
speed 100
no shutdown
!
interface FastEthernet2/0
description ### Connection to Server Network ###
ip address 172.16.0.5 255.255.255.0
speed 100
full-duplex
no shutdown
!
! configuration for NTP settings
! ==============================
ntp server 192.53.103.108 prefer
ntp server 192.53.103.104
! external NTP Server


So first router done, to more to go.

Routers for the outer routing Network R_Outer_Core_1 and R_Outer_Core_2

! Hostename and domain configuration
! ==================================
hostname R_Outer_Core_1
ip domain name Task2.local
!
! No hostname lookup for routers
! ==============================
no ip domain lookup
!
! Interface configuration
interface Loopback0
description ### Loop 0 for MGMT ###
ip address 10.99.99.2 255.255.255.255

!
interface FastEthernet1/0
description ### Link to R_Inner_Core ###
ip address 10.0.0.2 255.255.255.252
full-duplex
speed 100
no shutdown
!
interface FastEthernet2/0
description ### inter Link to R_Outer_Core_2 ###
ip address 10.0.0.9 255.255.255.252
full-duplex
speed 100
no shutdown
!
! NTP Settings
! ============
ntp server 10.99.99.1 prefer
! You may note that the NTP server is the inner core router R_Inner_Core.
! This is to limit access to public resources.


Last router to be configured R_Outer_Core_2

! Hostname and domain name configuration
! ======================================
hostname R_Outer_Core_2
ip domain name Task2.local
!
! No hostname lookup for routers
! ==============================
no ip domain lookup
!
! Interface configuration
! =======================
interface Loopback0
description ### Loop 0 for MGMT ###
ip address 10.99.99.3 255.255.255.255
!
interface FastEthernet1/0
description ### Link to R_Inner_Core ###
ip address 10.0.0.6 255.255.255.252
speed 100
full-duplex
no shutdown
!
interface FastEthernet2/0
description ### inter Link to R_Outer_Core_1 ###
ip address 10.0.0.10 255.255.255.252
speed 100
full-duplex
no shutdown
!
! NTP Settings
! ============
ntp server 10.99.99.1 prefer


Last configured is the Internet Gateway in this scenario the PIX FW-GW-1


! Hostname and domain configuration
! =================================
hostname FW-GW-1
domain-name Task2.local
!
! Interface Configuration
! =======================
interface Ethernet0
description ### Central Breakout Point ###
speed 100
duplex full
nameif IF_Outside
security-level 0
ip address 192.168.33.2 255.255.255.240
no shutdown
!
interface Ethernet1
description ### Link to Core Router ###
speed 100
duplex full
nameif IF_Inside
security-level 100
ip address 10.0.0.14 255.255.255.252
no shutdown
!
! Default route for any unknown traffic
! =====================================
route IF_Outside 0.0.0.0 0.0.0.0 192.168.33.1 1
! 192.168.33.1 is the next hop to the ISP


By now you should be able to ping any directly connected device from each machine.

As you may notice the PIX is not doing NAT, this will be configured in a separate step later on in this section.


2.1.2 OSPF between Cisco Routers and PIX/ ASA

After we´ve finished the basic steps of configuring routers and PIX/ ASA Firewalls we will move to OSPF. For more information on setting up a basic router configuration have a look at ZIFs post some days ago.

OSPF is quite easy to configure.
First of you need to define a routing process, the routes you like to redistribute and if everything is fine you should have OSPF running in no time.
As earlier mentioned in this configs I´ll just post changes from the default configuration.

R_Inner_Core

! define your routing process
router ospf 100
! set your router ID
router-id 10.99.99.1
! configure logging
log-adjacency-changes
! define what you want to announce from this router
redistribute connected subnets
redistribute static subnets
! no routing updates on interface Loopback0
passive-interface Loopback0
!
! define networks attached to your router, if you do not add a network
! that is configured on one of your interfaces this interface will not be
! part of your OSPF (obvious!)
!
network 10.0.0.0 0.0.0.3 area 0
network 10.0.0.4 0.0.0.3 area 0
network 10.0.0.13 0.0.0.3 area 0
! announce even your loopback interface
network 10.99.99.1 0.0.0.0 area 0
network 172.16.0.0 0.0.0.255 area 0



The same is configured on router R_Outer_Core_1 and R_Outer_Core_2
R_Outer_Core_1

router ospf 100
router-id 10.99.99.2
log-adjacency-changes
redistribute connected subnets
redistribute static subnets
passive-interface Loopback0
network 10.0.0.0 0.0.0.3 area 0
network 10.0.0.8 0.0.0.3 area 0
network 10.99.99.2 0.0.0.0 area 0


R_Outer_Core_2

router ospf 100
log-adjacency-changes
redistribute connected subnets
redistribute static subnets
passive-interface Loopback0
network 10.0.0.4 0.0.0.3 area 0
network 10.0.0.8 0.0.0.3 area 0
network 10.99.99.3 0.0.0.0 area 0


Finally add your PIX /ASA to the OSPF network.
FW-GW-1

! create your routing process
router ospf 100
! define your router ID |
! NOTE: no loopback interfaces can be created on ASA and PIX
! you could use a hostname instead
router-id 10.0.0.14
network 10.0.0.12 255.255.255.252 area 0
log-adj-changes
redistribute static subnets
! Propagate a default route into the OSPF process so that every unknown IP
! can be reached via THIS pix /ASA
default-information originate


Well so much for basic OSPF. You should be able to ping every device in your network from every location.

If you issue a show ip route on R_Inner_Core the output should look like:

R_Inner_Core#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.0.0.14 to network 0.0.0.0

172.16.0.0/24 is subnetted, 1 subnets
C 172.16.0.0 is directly connected, FastEthernet2/0
10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
O 10.0.0.8/30 [110/2] via 10.0.0.6, 00:01:18, FastEthernet0/1
[110/2] via 10.0.0.2, 00:01:18, FastEthernet0/0
C 10.0.0.12/30 is directly connected, FastEthernet1/0
O 10.99.99.2/32 [110/2] via 10.0.0.2, 00:01:18, FastEthernet0/0
O 10.99.99.3/32 [110/2] via 10.0.0.6, 00:01:18, FastEthernet0/1
C 10.0.0.0/30 is directly connected, FastEthernet0/0
C 10.99.99.1/32 is directly connected, Loopback0
C 10.0.0.4/30 is directly connected, FastEthernet0/1
O*E2 0.0.0.0/0 [110/1] via 10.0.0.14, 00:01:18, FastEthernet1/0


O*E2 0.0.0.0/0 [110/1] via 10.0.0.14, 00:01:18, FastEthernet1/0 is one of the more interesting routes. This is the default route announced into the OSPF area by our PIX/ASA. As a consequence all traffic to unknown IPs will be send to the PIX/ASA.


2.1.3 Bringing up the Internet gateway

With OSPF running and a default route pointing to the Internet propagated we just need some few adjustments on our PIX/ASA to allow Internet access.
First of all, since our network is running with private IPs, we need NAT to be configured. In this case PAT (port address translation) is the better term.

Assuming that our ISP offered us the network 192.168.33.0 255.255.255.240 and his router got the IP 192.168.33.1 we have left the IP range 192.168.33.2-192.168.33.14 for our use.

We will use the IP address 192.168.33.3 for the PAT configuration that should be enough for a while. Second step is to configure what source IP addresses will be NATed. Since this is the central breakout point the answer is obvious every IP!


global (IF_Outside) 1 192.168.33.3
nat (IF_Inside) 1 0.0.0.0 0.0.0.0
! translate every IP on the inside Interface into
! the public IP + specific port


Since we've not configured the ISP router we check if NAT is correct configured by using show nat
This should return something like:

show nat

NAT policies on Interface IF_Inside:
match ip IF_Inside any IF_Outside any
dynamic translation to pool 1 (192.168.33.3)


All done now! You should have a running network from where we can go ahead.

Network Diagramm:


Attached you can find the configuration of our Routers and PIX
LINK: R_Inner_Core
LINK: R_Outer_Core_1
LINK: R_Outer_Core_2
LINK: FW-GW-1


More to come in a few days, feel free to post corrections, suggestions and of course questions.

Cheers NWG

1 Kommentar:

  1. nice its very hopefully and i trusted your work ;)

    go on pls ;)

    AntwortenLöschen