• Cisco OSPF has area 0 with 10.0.0.0/24.

    PFsense OSPF has area 0 with 10.0.0.0/24 and area 10 with 10.10.2.0/24 and area 20 with 192.168.122.0/24.

    The routers have full "FULL/DR" & "FULL/BDR" relationship with each other.

    However, although "show route" and "ip route" show routes from each different devices, ospf neighbors can't talk to each other.
    (To rule out firewall/acl on both Cisco and PFsense, I put in static routes and it worked).

    What else can I do to make them talk to each other?

    Neighbor ID Pri State          Dead Time Address        Interface            RXmtL RqstL DBsmL
    5.5.5.5          1 Full/DR          39.320s 10.0.0.1      em3:10.0.0.119        0    0    0

    Thanks.


  • Too little info to go on. …

    Does the transit network work as intended?

    Please post the config/status/logs on pastebin or alternatives.


  • Problems:
    (1) Seems PFsense interfaces rely on static route for 10.0.0.0/24 hosts to be able to http webconfigurator
    (2) 192 hosts can't access the internet or ping from the PFsense interface
    (3) Can't ssh 192 hosts from 10.0.0.0/24
    (4) But 192 hosts can talk to each other
    (5) From ASA, I can ping PFsense interfaces but none of 192 hosts.
    (6) Disabled firwall/packet-filtering on PFsense for now to fix route issues.

    (ASA output)

    
    cisASA# show route
    
    Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route, + - replicated route
    
    Gateway of last resort is 107.204.168.1 to network 0.0.0.0
    
    S*    0.0.0.0 0.0.0.0 [1/0] via 107.204.168.1, outside
    O IA     10.10.2.0 255.255.255.0 [110/20] via 10.0.0.119, 15:17:07, inside
    C        107.0.0.0 255.0.0.0 is directly connected, outside
    L        107.204.169.233 255.255.255.255 is directly connected, outside
    C        10.0.0.0 255.255.0.0 is directly connected, inside
    L        10.0.0.1 255.255.255.255 is directly connected, inside
    O IA  192.168.122.0 255.255.255.0 [110/20] via 10.0.0.119, 15:17:07, inside
    
    cisASA# show ospf nei
    
    Neighbor ID     Pri   State           Dead Time   Address         Interface
    100.100.100.100   1   FULL/BDR        0:00:39    10.0.0.119    inside
    cisASA# 
    
    

    (PFsense output)

    
    IPv4 Routes
    Destination Gateway Flags   Use Mtu Netif   Expire
    0.0.0.0/32  10.0.0.1    UGS 0   1450    em3 
    default 10.0.0.1    UGS 57016   1450    em3 
    8.8.8.8 00:3d:2c:15:26:57   UHS 17  1450    em3 
    10.10.2.0/24    link#2  U   0   1450    em1 
    10.10.2.1   link#2  UHS 212364  16384   lo0 
    84.200.69.80    00:3d:2c:15:26:57   UHS 166 1450    em3 
    127.0.0.1   link#8  UH  823 16384   lo0 
    10.0.0.0/16 10.0.0.1    UGS 120297  1450    em3 
    10.0.0.119  link#4  UHS 0   16384   lo0 
    192.168.122.0/24    link#3  U   63230   1450    em2 
    192.168.122.1   link#3  UHS 212299  16384   lo0 
    
    

    
    Quagga OSPF Neighbors
    
        Neighbor ID Pri State           Dead Time Address         Interface            RXmtL RqstL DBsmL
    5.5.5.5           1 Full/DR           34.501s 10.0.0.1      em3:10.0.0.119         0     0     0
    (ASA Config)
    
    
    
    cisASA# show run
    
    : Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
    :
    ASA Version 9.2(4) 
    !
    hostname cisASA
    
    enable password .jaY8R6W./JP9tz1 encrypted
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    
    names
    !
    interface Ethernet0/0
     switchport access vlan 2
    !
    interface Ethernet0/1
    !             
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    interface Vlan1
     nameif inside
     security-level 100
     ip address 10.0.0.1 255.255.0.0 
    !
    interface Vlan2
     nameif outside
     security-level 0
     ip address 7.4.1.2 255.0.0.0 
    !
    interface Vlan3
     no nameif    
     no security-level
     no ip address
    !
    boot system disk0:/asa924-k8.bin
    ftp mode passive
    clock timezone PST -8
    clock summer-time PDT recurring
    dns domain-lookup inside
    dns server-group DefaultDNS
     name-server 84.200.69.80
     name-server 8.8.8.8
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object network obj-100
     subnet 10.0.0.0 255.255.0.0
    object network loader
    object network ospf-10
     subnet 10.0.2.0 255.255.255.0
    object network ospf-20
     subnet 10.0.20.0 255.255.255.0
    object network ospf-30
     subnet 10.0.30.0 255.255.255.0
    object network ospf-40
     subnet 192.168.122.0 255.255.255.0
    object-group service DM_INLINE_SERVICE_1
    
    access-list inside_access_in extended permit ip object obj-100 any4 
    access-list inside_access_in extended permit ip object ospf-10 any4 
    access-list inside_access_in extended permit ip object ospf-20 any4 
    access-list inside_access_in extended permit ip object ospf-30 any4 
    access-list inside_access_in extended permit ip object ospf-40 any4 
    access-list outside_access_in extended permit ip 192.168.0.0 255.255.0.0 any 
    access-list outside_access_in extended permit ip 10.0.0.0 255.0.0.0 any 
    access-list outside_access_in extended permit ip 172.16.0.0 255.240.0.0 any 
    pager lines 24
    logging enable
    logging buffer-size 987564
    logging buffered informational
    logging asdm informational
    mtu inside 1450
    mtu outside 1450
    ip verify reverse-path interface inside
    ip verify reverse-path interface outside
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-762-150.bin
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    !
    
    object network obj-1000
     nat (inside,outside) dynamic interface
    object network ospf-10
     nat (inside,outside) dynamic interface
    object network ospf-20
     nat (inside,outside) dynamic interface
    object network ospf-30
     nat (inside,outside) dynamic interface
    object network ospf-40
     nat (inside,outside) dynamic interface
    !
    nat (inside,outside) after-auto source dynamic any interface
    access-group inside_access_in in interface inside
    access-group open-acl in interface outside
    router ospf 5505
     router-id 5.5.5.5
     network 10.0.0.0 255.255.0.0 area 0
     log-adj-changes
     redistribute static subnets
    !
    route outside 0.0.0.0 0.0.0.0 7.4.1.1
    
    management-access inside
    
    dhcp-client client-id interface outside
    dhcpd dns 84.200.69.80 8.8.8.8
    dhcpd update dns both override 
    dhcpd option 3 ip 10.0.0.1
    !
    dhcpd address 10.0.1.100-10.0.1.130 inside
    dhcpd enable inside
    !
    threat-detection basic-threat
    threat-detection statistics host
    threat-detection statistics access-list
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    ntp server 216.228.192.69 source outside
    
    !
    class-map inspection_default
     match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
     parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map 
      inspect ftp 
      inspect h323 h225 
      inspect h323 ras 
      inspect rsh 
      inspect rtsp 
      inspect esmtp 
      inspect sqlnet 
      inspect skinny  
      inspect sunrpc 
      inspect xdmcp 
      inspect sip  
      inspect netbios 
      inspect tftp 
      inspect ip-options 
      inspect icmp 
    !
    service-policy global_policy global
    prompt hostname context 
    no call-home reporting anonymous
    Cryptochecksum:72ade258e5ac8ab26363b2a9beb2724a
    : end
    cisASA#
    
    

    (PFsense Config is in GUI format)

    
    But pretty much the same