As shown in Figure 9-3, in this example, the same OSPF process routes between the DMZ and the inside security domains. The FWSM is in a single context routed mode. The
Supporting Routing Methods 145
configuration does not have MD5 enabled. It is a good practice to enable MD5 authentication. Example 9-2 shows the FWSM configuration.
Figure 9-3 OSPF Single-Process Between Two Security Zones
Example 9-2 FWSM Configuration FWSM(config)# sssshhhhooooww ww rrrruunuunnn : Saved : FWSM Version 3.1(3)6 ! hostname FWSM
enable password 8Ry2YjIyt7RRXU24 encrypted names
! Configure the outside interface interface Vlan90
nameif outside security-level 0
ip address 10.100.1.2 255.255.255.0 ! Configure the inside interface interface Vlan91 nameif inside security-level 100 Router 1 (R1) - Outside Router (MSFC) Router 2 (R2) - Inside Router Router 3 (R3) - DMZ Router The FWSM has a default
route that points to R1 router. VLANs 92 and 91 are configured in the OSPF process 4. The FWSM advertises the default routes to R2 and R3. The default- information originate is configured. (Note that there is a static default route pointing to the outside security domain.) VLAN 92 10.102.1. x VLAN 91 10.101.1. x VLAN 90 10.100.1. x OSPF Process 4 FWSM (Single Context Routed Mode) continues
ip address 10.101.1.2 255.255.255.0 ! Configure the dmz interface
interface Vlan92 nameif dmz security-level 50
ip address 10.102.1.2 255.255.255.0 !
passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive
! Configure the access list. Note that the access list should be configured based ! on the security policy
access-list 100 extended permit ip any any access-list 101 extended permit ip any any access-list 102 extended permit ip any any access-list 106 extended permit ip any any pager lines 24
mtu outside 1500 mtu inside 1500 mtu dmz 1500 no failover
icmp permit any outside icmp permit any inside icmp permit any dmz no asdm history enable arp timeout 14400 nat-control
! Configure NAT for the security domains defined nat (inside) 0 0.0.0.0 0.0.0.0
nat (dmz) 0 0.0.0.0 0.0.0.0
! Apply access list to the interfaces in the security domain access-group 100 in interface outside
access-group 100 out interface outside access-group 106 in interface inside access-group 101 out interface inside access-group 102 in interface dmz access-group 102 out interface dmz
! Configure default route pointing to the outside next hop address route outside 0.0.0.0 0.0.0.0 10.100.1.1 1
! Configure OSPF defined in each security domain. Configure the router Id. The ! ddeddeefefffaaaauuluullltt-tt-i--iininfnnfffooroorrrmmmmaataatittioiiooonn nn oooorrirrigiigiggiiinnannaaattttee command will generate a default route in DMZ and ee ! inside security domains, based on the static route configured in the FWSM ! towards the outside security domain
router ospf 4 network 10.101.0.0 255.255.0.0 area 0 network 10.102.0.0 255.255.0.0 area 0 router-id 10.101.1.2 log-adj-changes default-information originate ! timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Supporting Routing Methods 147
The following examples are the outputs for the configuration shown in “OSPF Design Example 1.” Example 9-3 illustrates checking the routing table at the FWSM.
The highlighted portion in the output of this show routecommand indicates the networks learned from OSPF neighbors as O, directly connected routes at the FWSM as C, and static
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute
no snmp-server location no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart telnet timeout 5 ssh timeout 5 console timeout 0 ! class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect skinny inspect smtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp !
service-policy global_policy global prompt hostname context
Cryptochecksum:1296bbc15e71a27c5087f81eae48b43c End
Example 9-3 Checking the Routing Table at the FWSM
FWSM(config)# ssshshhhoooowwww rrorrouoouuutttteeee
O 172.17.1.1 255.255.255.255 [110/11] via 10.102.1.1, 17:02:07, dmz O 172.16.1.1 255.255.255.255 [110/11] via 10.101.1.1, 17:02:07, inside C 10.102.1.0 255.255.255.0 is directly connected, dmz
C 10.101.1.0 255.255.255.0 is directly connected, inside C 10.100.1.0 255.255.255.0 is directly connected, outside S* 0.0.0.0 0.0.0.0 [1/0] via 10.100.1.1, outside
routes configured in the FWSM as S. Example 9-4 illustrates checking the OSPF database at the FWSM.
The output shown in Example 9-4 gives the LSA types in the OSPF process learned via the OSPF neighbors. Example 9-5 shows the partial output of the show ip route command at the DMZ router.
Note that the highlighted portion of the default route (O*E2) is learned from the FWSM. This is an external Type 2 route.
Example 9-4 Checking the OSPF Database at the FWSM
FWSM(config)# sshsshhhoooowwww oosoospsspppffff 44 44 ddddaaaattttaabaababbaaassesseee
OSPF Router with ID (10.101.1.2) (Process ID 4)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count 10.109.1.1 10.109.1.1 1087 0x80000029 0x3ca5 2
10.101.1.2 10.101.1.2 1411 0x8000002b 0x43f2 2 10.102.1.1 10.102.1.1 1291 0x8000002b 0x e14 2 Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum 10.101.1.1 10.109.1.1 1857 0x80000020 0x5fc9 10.102.1.1 10.102.1.1 1550 0x80000020 0x470a Type-5 AS External Link States
Link ID ADV Router Age Seq# Checksum Tag 0.0.0.0 10.101.1.2 1411 0x80000026 0x8e89 4
Example 9-5 Displaying the IP Route at the DMZ Router
Gateway of last resort is 10.102.1.2 to network 0.0.0.0 172.17.0.0/32 is subnetted, 1 subnets
C 172.17.1.1 is directly connected, Loopback201 172.16.0.0/32 is subnetted, 1 subnets
O 172.16.1.1 [110/12] via 10.102.1.2, 17:01:34, Vlan92 10.0.0.0/24 is subnetted, 2 subnets
C 10.102.1.0 is directly connected, Vlan92
O 10.101.1.0 [110/11] via 10.102.1.2, 17:01:34, Vlan92 O*E2 0.0.0.0/0 [110/1] via 10.102.1.2, 17:01:34, Vlan92
Supporting Routing Methods 149
Example 9-6 shows the partial output of the show ip route command at the inside router.
Note that the highlighted portion of the default route (O*E2) is learned from the FWSM.
OSPF Design Example 2
As shown in Figure 9-4, in this example, the same OSPF process routes between the DMZ and the inside security domains. A separate OSPF process is used to route packets to the outside security domain. This example provides redistribution between the OSPF processes. The FWSM is in a single context routed mode. Note that only two OSPF processes can be configured in a single context routed mode. The configuration does not have MD5 enabled. It is a good practice to enable MD5 authentication. Example 9-7 shows the FWSM configuration in single context routed mode.
Figure 9-4 Dual OSPF Processes Between Security Domains
Example 9-6 Displaying the IP Routes at the Inside Router
Gateway of last resort is 10.101.1.2 to network 0.0.0.0 172.17.0.0/32 is subnetted, 1 subnets
O 172.17.1.1 [110/12] via 10.101.1.2, 17:01:25, Vlan91 172.16.0.0/32 is subnetted, 1 subnets
C 172.16.1.1 is directly connected, Loopback200 10.0.0.0/24 is subnetted, 2 subnets
O 10.102.1.0 [110/11] via 10.101.1.2, 17:01:25, Vlan91 C 10.101.1.0 is directly connected, Vlan91
O*E2 0.0.0.0/0 [110/0] via 10.101.1.2, 17:01:32, Vlan91
Router 1 (R1) - Outside Router (MSFC) Router 2 (R2) - Inside Router Router 3 (R3) - DMZ Router The FWSM learns the default
route through the OSPF process 5. VLAN 90 is configured in the OSPF process 5. VLANs 92 and 91 are configured in the OSPF process 4. The FWSM advertises the default route to R2 and R3. Mutual redistribution is configured between the OSPF processes. The default route is learned via the OSPF process 5 and advertised in OSPF process 4.
VLAN 92 10.102.1. x Mutual Redistribution VLAN 91 10.101.1. x VLAN 90 10.100.1. x OSPF Process 5 OSPF Process 4 FWSM (Single Context Routed Mode)
Example 9-7 FWSM Configuration in Single Context Routed Mode FWSM# sshsshhhoowoow ww rrurruuunn nn : Saved : FWSM Version 3.1(3)6 ! hostname FWSM
enable password 8Ry2YjIyt7RRXU24 encrypted names
! Configure the outside interface interface Vlan90
nameif outside security-level 0
ip address 10.100.1.2 255.255.255.0 ! Configure the inside interface interface Vlan91
nameif inside security-level 100
ip address 10.101.1.2 255.255.255.0 ! Configure the DMZ interface
interface Vlan92 nameif dmz security-level 50
ip address 10.102.1.2 255.255.255.0 !
passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive
! access list will be defined based on security rule set.In this configuration. ! Access list is defined for all the traffic to pass through the FWSM
access-list 100 extended permit ip any any access-list 101 extended permit ip any any access-list 102 extended permit ip any any access-list 106 extended permit ip any any pager lines 24
mtu outside 1500 mtu inside 1500 mtu dmz 1500 no failover
icmp permit any outside icmp permit any inside icmp permit any dmz no asdm history enable arp timeout 14400 nat-control
! Configure NAT for each security domain defined in the FWSM nat (inside) 0 0.0.0.0 0.0.0.0
nat (dmz) 0 0.0.0.0 0.0.0.0
! Apply the access list to the interface access-group 100 in interface outside access-group 100 out interface outside access-group 106 in interface inside access-group 101 out interface inside access-group 102 in interface dmz
Supporting Routing Methods 151
The following are the outputs for the configuration shown in “OSPF Design Example 2.” Example 9-8 displays the show route command at FWSM.
Note that the highlighted portion of the default route (O*E2) is learned in the FWSM from the outside security domain.
To display routes in a particular OSPF process in the FWSM, use the show ospf <process- id> database command, as shown in Example 9-9.
access-group 102 out interface dmz
! Configure OSPF and advertise the networks in the inside and dmz security domains. ! Redistribute the OSPF process of the outside security domain (ospf 5) to ospf 4 router ospf 4
network 10.101.0.0 255.255.0.0 area 0 network 10.102.0.0 255.255.0.0 area 0 router-id 10.101.1.2
log-adj-changes
redistribute ospf 5 subnets default-information originate
! Configure OSPF and advertise the networks in outside security domain. Redistribute ! the OSPF process of the inside and DMZ security domains (ospf 4) to ospf 5 router ospf 5
network 10.100.1.0 255.255.255.0 area 0 log-adj-changes
redistribute ospf 4 subnets
summary-address 10.102.0.0 255.255.0.0 !
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute
no snmp-server location no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart telnet timeout 5
ssh timeout 5 console timeout 0
Example 9-8 Theshow route Command at FWSM
FWSM# sshsshhhoowoowww rrorrooouutuuttteeee
O 172.17.1.1 255.255.255.255 [110/11] via 10.102.1.1, 0:15:12, dmz O 172.16.1.1 255.255.255.255 [110/11] via 10.100.1.1, 0:15:27, outside O 10.102.0.0 255.255.0.0 is a summary, 0:01:50, OSPF Unknown Type C 10.102.1.0 255.255.255.0 is directly connected, dmz
C 10.101.1.0 255.255.255.0 is directly connected, inside C 10.100.1.0 255.255.255.0 is directly connected, outside O*E2 0.0.0.0 0.0.0.0 [110/1] via 10.100.1.1, 0:15:27, outside
Example 9-9 Check the OSPF Database in FWSM
FWSM# sshsshhhoowoowww oosoosssppfppfff 44 44 ddaddaaattattabaabbbaasaasssee ee
OSPF Router with ID (10.101.1.2) (Process ID 4)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count 10.109.1.1 10.109.1.1 947 0x800003b5 0xc2c4 1
10.101.1.2 10.101.1.2 941 0x80000003 0x93ca 2 10.102.1.1 10.102.1.1 798 0x800003b6 0xeda5 2 Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum 10.101.1.1 10.109.1.1 942 0x800003ab 0x3f5b 10.102.1.1 10.102.1.1 941 0x800003a9 0x2b99 Type-5 AS External Link States
Link ID ADV Router Age Seq# Checksum Tag 0.0.0.0 10.101.1.2 944 0x80000001 0xd864 4 172.16.1.1 10.101.1.2 944 0x80000001 0x55bd 0 10.100.1.0 10.101.1.2 954 0x80000001 0xa820 0 10.102.0.0 10.101.1.2 128 0x80000001 0x418f 0 FWSM# sshsshhhoowoowww oosoosssppfppfff 55 55 ddaddaaattattabaabbbaasaasssee ee
OSPF Router with ID (10.102.1.2) (Process ID 5)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count 172.16.1.1 172.16.1.1 960 0x80000007 0x3497 2
10.102.1.2 10.102.1.2 954 0x80000004 0x4814 1 Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum 10.100.1.1 172.16.1.1 960 0x80000001 0xdb32 Type-5 AS External Link States
Link ID ADV Router Age Seq# Checksum Tag 0.0.0.0 172.16.1.1 1542 0x80000001 0x7416 5 172.17.1.1 10.102.1.2 946 0x80000001 0x63c7 0 10.101.1.0 10.102.1.2 965 0x80000001 0x9432 0 10.102.0.0 10.102.1.2 134 0x80000001 0x9333 0
Supporting Routing Methods 153
Example 9-10 shows a partial output of routes learned at the Layer 3 device in the outside security domain, using the show ip route command. In the command output, you will notice the inside routes appearing as external Type 2 routes.
To display the IP routes at the DMZ Layer 3 device, use the show ip route command, as shown in Example 9-11. The default route is learned via OSPF from the FWSM.
Example 9-12 shows a partial output of the IP routes at the Layer 3 device in the inside security domain. The default route is learned via the FWSM.
Example 9-10 Theshow ip route Command at the Next Hop Layer 3 Device at the Outside Security Domain
172.17.0.0/32 is subnetted, 1 subnets
O E2 172.17.1.1 [110/11] via 10.100.1.2, 00:16:41, Vlan90 172.16.0.0/32 is subnetted, 1 subnets
C 172.16.1.1 is directly connected, Loopback100 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks O E2 10.102.0.0/16 [110/10] via 10.100.1.2, 00:03:10, Vlan90 O E2 10.101.1.0/24 [110/10] via 10.100.1.2, 00:16:47, Vlan90 C 10.100.1.0/24 is directly connected, Vlan90
Example 9-11 Theshow ip route Command at a Layer 3 Device in the DMZ Domain
Gateway of last resort is 10.102.1.2 to network 0.0.0.0 172.17.0.0/32 is subnetted, 1 subnets
C 172.17.1.1 is directly connected, Loopback201 172.16.0.0/32 is subnetted, 1 subnets
O E2 172.16.1.1 [110/11] via 10.102.1.2, 00:08:22, Vlan92 10.0.0.0/24 is subnetted, 3 subnets
C 10.102.1.0 is directly connected, Vlan92
O 10.101.1.0 [110/11] via 10.102.1.2, 00:08:22, Vlan92 O E2 10.100.1.0 [110/10] via 10.102.1.2, 00:08:22, Vlan92 O*E2 0.0.0.0/0 [110/1] via 10.102.1.2, 00:08:22, Vlan92
Example 9-12 Theshow ip route Command at the Inside Security Domain
Gateway of last resort is 10.101.1.2 to network 0.0.0.0 172.17.0.0/32 is subnetted, 1 subnets O 172.17.1.1 [110/12] via 10.101.1.2, 00:09:14, Vlan91 172.16.0.0/32 is subnetted, 1 subnets O E2 172.16.1.1 [110/11] via 10.101.1.2, 00:09:14, Vlan91 10.0.0.0/24 is subnetted, 3 subnets O 10.102.1.0 [110/11] via 10.101.1.2, 00:09:14, Vlan91 C 10.101.1.0 is directly connected, Vlan91
O E2 10.100.1.0 [110/10] via 10.101.1.2, 00:09:14, Vlan91 O*E2 0.0.0.0/0 [110/1] via 10.101.1.2, 00:09:14, Vlan91