Professional Documents
Culture Documents
Contents
Introduction
Prerequisites
Requirements
Components Used
Conventions
Configure
Network Diagram
Configurations
Configure the PIX/ASA Security Appliance Version 7.x
Use ASDM
Enable Reverse Route Injection (RRI)
Verify
View the Logs
Troubleshoot
Related Information
Introduction
This document provides a sample configuration for a VPN/IPsec with Open Shortest Path First (OSPF) on
Cisco PIX Security Appliance Software Version 7.x or Cisco Adaptive Security Appliance (ASA). PIX/ASA
7.x allows OSPF unicast to run over an existing VPN connection. You no longer need to configure a Generic
Routing Encapsulation (GRE) tunnel.
Prerequisites
Requirements
Ensure that you can establish the VPN connection before you attempt this configuration.
Components Used
The information in this document is based on these software and hardware versions:
• Cisco 2500 that runs Cisco IOS® Software Release 12.1 and later
• Cisco 2500 that runs Cisco IOS Software Release 12.0 and later
• ASA 5500 Security Appliance running Software Version 7.x and later
Note: The PIX 500 Series Version 7.x/8.x runs the same software seen in ASA 5500 Version 7.x/8.x.
The configurations in this document are applicable to both product lines.
The information in this document was created from the devices in a specific lab environment. All of the
devices used in this document started with a cleared (default) configuration. If your network is live, make sure
that you understand the potential impact of any command.
Conventions
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
Configure
In this section, you are presented with the information to configure the features described in this document.
Note: Use the Command Lookup Tool ( registered customers only) to obtain more information on the commands
used in this section.
Network Diagram
This document uses this network setup:
Configurations
This document uses these configurations:
• Router Left
• Router House
Router Left
version 12.1
no service single−slot−reload−enable
service timestamps debug uptime
service timestamps log uptime
no service password−encryption
!
hostname Left
!
!
!
!
!
!
ip subnet−zero
ip tcp synwait−time 5
no ip domain−lookup
!
!
!
!
interface Loopback11
ip address 11.11.11.11 255.255.255.0
!
interface Ethernet0
ip address 10.10.10.2 255.255.255.0
no keepalive
!
interface Serial0
no ip address
no keepalive
no fair−queue
ignore−dcd
!
interface Serial1
no ip address
shutdown
ignore−dcd
!
interface BRI0
no ip address
shutdown
!
router ospf 11
log−adjacency−changes
network 10.10.10.0 0.0.0.255 area 0
network 11.11.11.0 0.0.0.255 area 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.10.1
ip http server
!
logging trap debugging
logging 20.20.20.2
access−list 100 permit ip any any
access−list 101 permit ip any any
!
line con 0
exec−timeout 0 0
line aux 0
line vty 0 4
privilege level 15
no login
!
end
Router House
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password−encryption
!
hostname Right
!
aaa new−model
aaa authentication login default group tacacs+ none
aaa authorization exec default group tacacs+ none
!
!
!
!
!
ip subnet−zero
no ip domain−lookup
!
cns event−service server
!
!
!
!
!
interface Loopback22
ip address 22.22.22.22 255.255.255.0
no ip directed−broadcast
!
interface Tunnel0
no ip address
no ip directed−broadcast
!
interface Ethernet0
ip address 20.20.20.2 255.255.255.0
no ip directed−broadcast
!
interface Serial0
no ip address
no ip directed−broadcast
no ip mroute−cache
shutdown
no fair−queue
!
interface Serial1
no ip address
no ip directed−broadcast
shutdown
!
interface Async1
no ip address
no ip directed−broadcast
encapsulation ppp
!
router ospf 22
log−adjacency−changes
network 20.20.20.0 0.0.0.255 area 0
network 22.22.22.0 0.0.0.255 area 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 20.20.20.1
ip http server
!
!
!
line con 0
transport input none
line 1 8
line aux 0
line vty 0 4
!
end
Note: If the OSPF neighbor does not come up, consider the option to reduce the maximum transmission unit
(MTU) size.
PIX/ASA−ASDM Bootstrap
Pre−configure Firewall now through interactive prompts [yes]?
Firewall Mode [Routed]:
Enable password [<use current password>]: cisco
Allow password recovery [yes]?
Clock (UTC):
Year [2006]:
Month [May]:
Day [25]:
Time [06:00:44]:
Inside IP address: 10.10.10.1
Inside network mask: 255.255.255.0
Host name: Local
Domain name: cisco.com
IP address of host running Device Manager: 10.10.10.3
Use ASDM
Complete these steps in order to configure via the ASDM GUI:
This prompt appears only if this is the first time that you have run ASDM on the PC. This example
has selected and installed the ASDM Launcher.
5. Go to the ASDM Home window and click the Configuration tab.
6. Choose Interface > Edit in order to configure the outside interface.
7. Click OK.
8. Enter the interface details and click OK when complete.
13. Configure a host based static for the remote peer in order to avoid possible recursive routing when
OSPF comes up and then click OK.
14. Click Apply in order to accept the routing configuration.
16. In the VPN Wizard window, click Next where Site−to−Site is the default selection.
17. Add the Peer IP Address, Tunnel Group Name (which is the IP address), and Pre−Shared Key
information, and click Next.
18. Add the Encryption type, Authentication type, DH Group information, and click Next.
19. Add the IPsec parameters, Encryption type, Authentication type information, and click Next.
20. Configure the inside host network. Click Add in order to move the address to the Selected
Host/Networks field within this window. Click Next when complete.
21. Configure the outside host network. Click Add in order to move the address to the Selected
Host/Networks field within this window. Click Next when complete.
24. Create an access list in order to allow OSPF traffic to go across the VPN.
This VPN access list is for the OSPF routes that are learned. Choose Configuration > VPN.
30. Configure the Source Network. Click Browse in order to define the NAT pool addresses for the
inside. Then select outside for Translate Address on Interface and click Manage Pools.
31. Select the outside interface and click Add.
32. Because Port Address Translation (PAT) uses the IP address of the interface in this example, click
Port Address Translation (PAT) using the IP address of the interface.
34. In the Add Address Translation Rule window, select the Address Pool that the configured Source
Network is to use.
35. Click OK. This window shows the output from the NAT configuration.
36. Click Apply in order to save the configuration.
37. Choose Configuration > Routing > OSPF > Setup, go to the Process Instances tab and check
Enable this OSPF Process in order to set up OSPF on the PIX.
45. Check the Broadcast column for the outside interface in order to verify that the selection is no and
click Apply.
48. Verify that the information is correct and click Apply. This action completes the configuration.
Choose File > Show Running Configuration in New Window in order to view the CLI configuration.
ASA Local
ASA Version 7.X
no names
!
interface GigabitEthernet0/0
nameif outside
security−level 0
ip address 30.30.30.1 255.255.255.0
!−−− This line allows the unicast of OSPF over the IPsec tunnel.
!−−− This line is optional and not required for OSPF to work.
!−−− Enable this option only if you want to enable MD5 digest for OSPF.
telnet timeout 5
ssh timeout 5
console timeout 0
class−map inspection_default
match default−inspection−traffic
policy−map asa_global_fw_policy
class inspection_default
inspect dns maximum−length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service−policy asa_global_fw_policy global
Cryptochecksum:3d5f16a67ec0fa20aa3882acaa348e28
: end
ASA Remote
ASA Version 7.X
no names
!
interface GigabitEthernet0/0
nameif outside
security−level 0
ip address 40.40.40.2 255.255.255.0
!−−− This line is optional and not required for OSPF to work.
!−−− Enable this option only if you want to enable MD5 digest for OSPF.
!
interface GigabitEthernet0/1
nameif inside
security−level 100
ip address 20.20.20.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security−level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security−level
no ip address
!
interface Management0/0
shutdown
no nameif
no security−level
no ip address
!
enable password cisco encrypted
passwd cisco encrypted
hostname Remote
ftp mode passive
!−−− These ACL entries define interesting traffic for IPsec encryption and allow
!−−− the traffic to bypass NAT. Note that OSPF is permitted and only in the crypto ACL.
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp permit any echo outside
icmp permit any echo−reply outside
icmp permit any echo inside
icmp permit any echo−reply inside
asdm image disk0:/asdm−502.bin
no asdm history enable
arp timeout 14400
global (outside) 20 interface
!−−− This is a host based static. This is not always necessary, but recommended to
prevent recursive routing loops when OSPF comes up over the IPsec tunnel.
!−−− This is the IPsec configuration. Make sure basic IPsec connectivity is present
before you add in OSPF.
telnet timeout 5
ssh timeout 5
console timeout 0
class−map inspection_default
match default−inspection−traffic
policy−map asa_global_fw_policy
class inspection_default
inspect dns maximum−length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service−policy asa_global_fw_policy global
Cryptochecksum:3d5f16a67ec0fa20aa3882acaa348e28
: end
Verify
Use this section to confirm that your configuration works properly.
The Output Interpreter Tool ( registered customers only) (OIT) supports certain show commands. Use the OIT to
view an analysis of show command output.
You can use ASDM in order to enable logging and to view the logs:
• show crypto isakmp saShows the Internet Security Association and Key Management Protocol
(ISAKMP) security association (SA) that is built between peers.
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
Local(config)#show debug
debug crypto ipsec enabled at level 1
debug crypto engine enabled at level 1
debug crypto isakmp enabled at level 1
Verify that the LAN−to−LAN connection passes routing traffic by checking the routers:
Left#show ip route
Codes: C − connected, S − static, I − IGRP, R − RIP, M − mobile, B − BGP
D − EIGRP, EX − EIGRP external, O − OSPF, IA − OSPF inter area
N1 − OSPF NSSA external type 1, N2 − OSPF NSSA external type 2
E1 − OSPF external type 1, E2 − OSPF external type 2, E − EGP
i − IS−IS, L1 − IS−IS level−1, L2 − IS−IS level−2, ia − IS−IS inter area
* − candidate default, U − per−user static route, o − ODR
P − periodic downloaded static route
Right#show ip route
Codes: C − connected, S − static, I − IGRP, R − RIP, M − mobile, B − BGP
D − EIGRP, EX − EIGRP external, O − OSPF, IA − OSPF inter area
N1 − OSPF NSSA external type 1, N2 − OSPF NSSA external type 2
E1 − OSPF external type 1, E2 − OSPF external type 2, E − EGP
i − IS−IS, L1 − IS−IS level−1, L2 − IS−IS level−2, ia − IS−IS inter area
* − candidate default, U − per−user static route, o − ODR
P − periodic downloaded static route
Right#ping 10.10.10.2
Type escape sequence to abort.
Sending 5, 100−byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round−trip min/avg/max = 12/12/12 ms
1. Choose Configuration > Properties > Logging > Logging Setup, check Enable logging, and click
Apply.
2. Choose Monitoring > Logging > Log Buffer > Logging Level, select Logging Buffer from the
drop−down menu, and click View.
Here is an example of the Log Buffer:
In order to view related graphs, choose Monitoring > VPN > IPSEC Tunnels. Then, move IPsec
Active Tunnels and IKE Active Tunnels to Selected Graphs, and choose Show Graphs.
Troubleshoot
There is currently no specific troubleshooting information available for this configuration.
Related Information
• Cisco ASA 5500 Series Adaptive Security Appliances
• Most Common L2L and Remote Access IPSec VPN Troubleshooting Solutions
• Cisco PIX Firewall Software
• Cisco Secure PIX Firewall Command References
• Product Field Notice Summary page (including PIX)
• Requests for Comments (RFCs)
• Technical Support & Documentation − Cisco Systems