OSPF between Cisco & PFsense
-
Cisco OSPF has area 0 with 10.0.0.0/24.
PFsense OSPF has area 0 with 10.0.0.0/24 and area 10 with 10.10.2.0/24 and area 20 with 192.168.122.0/24.
The routers have full "FULL/DR" & "FULL/BDR" relationship with each other.
However, although "show route" and "ip route" show routes from each different devices, ospf neighbors can't talk to each other.
(To rule out firewall/acl on both Cisco and PFsense, I put in static routes and it worked).What else can I do to make them talk to each other?
Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL
5.5.5.5 1 Full/DR 39.320s 10.0.0.1 em3:10.0.0.119 0 0 0Thanks.
-
Too little info to go on. …
Does the transit network work as intended?
Please post the config/status/logs on pastebin or alternatives.
-
Problems:
(1) Seems PFsense interfaces rely on static route for 10.0.0.0/24 hosts to be able to http webconfigurator
(2) 192 hosts can't access the internet or ping from the PFsense interface
(3) Can't ssh 192 hosts from 10.0.0.0/24
(4) But 192 hosts can talk to each other
(5) From ASA, I can ping PFsense interfaces but none of 192 hosts.
(6) Disabled firwall/packet-filtering on PFsense for now to fix route issues.(ASA output)
cisASA# show route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, + - replicated route Gateway of last resort is 107.204.168.1 to network 0.0.0.0 S* 0.0.0.0 0.0.0.0 [1/0] via 107.204.168.1, outside O IA 10.10.2.0 255.255.255.0 [110/20] via 10.0.0.119, 15:17:07, inside C 107.0.0.0 255.0.0.0 is directly connected, outside L 107.204.169.233 255.255.255.255 is directly connected, outside C 10.0.0.0 255.255.0.0 is directly connected, inside L 10.0.0.1 255.255.255.255 is directly connected, inside O IA 192.168.122.0 255.255.255.0 [110/20] via 10.0.0.119, 15:17:07, inside cisASA# show ospf nei Neighbor ID Pri State Dead Time Address Interface 100.100.100.100 1 FULL/BDR 0:00:39 10.0.0.119 inside cisASA#
(PFsense output)
IPv4 Routes Destination Gateway Flags Use Mtu Netif Expire 0.0.0.0/32 10.0.0.1 UGS 0 1450 em3 default 10.0.0.1 UGS 57016 1450 em3 8.8.8.8 00:3d:2c:15:26:57 UHS 17 1450 em3 10.10.2.0/24 link#2 U 0 1450 em1 10.10.2.1 link#2 UHS 212364 16384 lo0 84.200.69.80 00:3d:2c:15:26:57 UHS 166 1450 em3 127.0.0.1 link#8 UH 823 16384 lo0 10.0.0.0/16 10.0.0.1 UGS 120297 1450 em3 10.0.0.119 link#4 UHS 0 16384 lo0 192.168.122.0/24 link#3 U 63230 1450 em2 192.168.122.1 link#3 UHS 212299 16384 lo0
Quagga OSPF Neighbors Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL 5.5.5.5 1 Full/DR 34.501s 10.0.0.1 em3:10.0.0.119 0 0 0 (ASA Config)
cisASA# show run : Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz : ASA Version 9.2(4) ! hostname cisASA enable password .jaY8R6W./JP9tz1 encrypted xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain names ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 10.0.0.1 255.255.0.0 ! interface Vlan2 nameif outside security-level 0 ip address 7.4.1.2 255.0.0.0 ! interface Vlan3 no nameif no security-level no ip address ! boot system disk0:/asa924-k8.bin ftp mode passive clock timezone PST -8 clock summer-time PDT recurring dns domain-lookup inside dns server-group DefaultDNS name-server 84.200.69.80 name-server 8.8.8.8 same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network obj-100 subnet 10.0.0.0 255.255.0.0 object network loader object network ospf-10 subnet 10.0.2.0 255.255.255.0 object network ospf-20 subnet 10.0.20.0 255.255.255.0 object network ospf-30 subnet 10.0.30.0 255.255.255.0 object network ospf-40 subnet 192.168.122.0 255.255.255.0 object-group service DM_INLINE_SERVICE_1 access-list inside_access_in extended permit ip object obj-100 any4 access-list inside_access_in extended permit ip object ospf-10 any4 access-list inside_access_in extended permit ip object ospf-20 any4 access-list inside_access_in extended permit ip object ospf-30 any4 access-list inside_access_in extended permit ip object ospf-40 any4 access-list outside_access_in extended permit ip 192.168.0.0 255.255.0.0 any access-list outside_access_in extended permit ip 10.0.0.0 255.0.0.0 any access-list outside_access_in extended permit ip 172.16.0.0 255.240.0.0 any pager lines 24 logging enable logging buffer-size 987564 logging buffered informational logging asdm informational mtu inside 1450 mtu outside 1450 ip verify reverse-path interface inside ip verify reverse-path interface outside icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-762-150.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected ! object network obj-1000 nat (inside,outside) dynamic interface object network ospf-10 nat (inside,outside) dynamic interface object network ospf-20 nat (inside,outside) dynamic interface object network ospf-30 nat (inside,outside) dynamic interface object network ospf-40 nat (inside,outside) dynamic interface ! nat (inside,outside) after-auto source dynamic any interface access-group inside_access_in in interface inside access-group open-acl in interface outside router ospf 5505 router-id 5.5.5.5 network 10.0.0.0 255.255.0.0 area 0 log-adj-changes redistribute static subnets ! route outside 0.0.0.0 0.0.0.0 7.4.1.1 management-access inside dhcp-client client-id interface outside dhcpd dns 84.200.69.80 8.8.8.8 dhcpd update dns both override dhcpd option 3 ip 10.0.0.1 ! dhcpd address 10.0.1.100-10.0.1.130 inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics host threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp server 216.228.192.69 source outside ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:72ade258e5ac8ab26363b2a9beb2724a : end cisASA#
(PFsense Config is in GUI format)
But pretty much the same