OSPF between Cisco & PFsense

sendalot

Cisco OSPF has area 0 with 10.0.0.0/24.

PFsense OSPF has area 0 with 10.0.0.0/24 and area 10 with 10.10.2.0/24 and area 20 with 192.168.122.0/24.

The routers have full "FULL/DR" & "FULL/BDR" relationship with each other.

However, although "show route" and "ip route" show routes from each different devices, ospf neighbors can't talk to each other.
(To rule out firewall/acl on both Cisco and PFsense, I put in static routes and it worked).

What else can I do to make them talk to each other?

Neighbor ID Pri State          Dead Time Address        Interface            RXmtL RqstL DBsmL
5.5.5.5          1 Full/DR          39.320s 10.0.0.1      em3:10.0.0.119        0    0    0

Thanks.

heper

Too little info to go on. …

Does the transit network work as intended?

Please post the config/status/logs on pastebin or alternatives.

sendalot

Problems:
(1) Seems PFsense interfaces rely on static route for 10.0.0.0/24 hosts to be able to http webconfigurator
(2) 192 hosts can't access the internet or ping from the PFsense interface
(3) Can't ssh 192 hosts from 10.0.0.0/24
(4) But 192 hosts can talk to each other
(5) From ASA, I can ping PFsense interfaces but none of 192 hosts.
(6) Disabled firwall/packet-filtering on PFsense for now to fix route issues.

(ASA output)

cisASA# show route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is 107.204.168.1 to network 0.0.0.0

S*    0.0.0.0 0.0.0.0 [1/0] via 107.204.168.1, outside
O IA     10.10.2.0 255.255.255.0 [110/20] via 10.0.0.119, 15:17:07, inside
C        107.0.0.0 255.0.0.0 is directly connected, outside
L        107.204.169.233 255.255.255.255 is directly connected, outside
C        10.0.0.0 255.255.0.0 is directly connected, inside
L        10.0.0.1 255.255.255.255 is directly connected, inside
O IA  192.168.122.0 255.255.255.0 [110/20] via 10.0.0.119, 15:17:07, inside

cisASA# show ospf nei

Neighbor ID     Pri   State           Dead Time   Address         Interface
100.100.100.100   1   FULL/BDR        0:00:39    10.0.0.119    inside
cisASA# 

(PFsense output)

IPv4 Routes
Destination Gateway Flags   Use Mtu Netif   Expire
0.0.0.0/32  10.0.0.1    UGS 0   1450    em3 
default 10.0.0.1    UGS 57016   1450    em3 
8.8.8.8 00:3d:2c:15:26:57   UHS 17  1450    em3 
10.10.2.0/24    link#2  U   0   1450    em1 
10.10.2.1   link#2  UHS 212364  16384   lo0 
84.200.69.80    00:3d:2c:15:26:57   UHS 166 1450    em3 
127.0.0.1   link#8  UH  823 16384   lo0 
10.0.0.0/16 10.0.0.1    UGS 120297  1450    em3 
10.0.0.119  link#4  UHS 0   16384   lo0 
192.168.122.0/24    link#3  U   63230   1450    em2 
192.168.122.1   link#3  UHS 212299  16384   lo0 

Quagga OSPF Neighbors

    Neighbor ID Pri State           Dead Time Address         Interface            RXmtL RqstL DBsmL
5.5.5.5           1 Full/DR           34.501s 10.0.0.1      em3:10.0.0.119         0     0     0
(ASA Config)

cisASA# show run

: Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(4) 
!
hostname cisASA

enable password .jaY8R6W./JP9tz1 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain

names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!             
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.0.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 7.4.1.2 255.0.0.0 
!
interface Vlan3
 no nameif    
 no security-level
 no ip address
!
boot system disk0:/asa924-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 84.200.69.80
 name-server 8.8.8.8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-100
 subnet 10.0.0.0 255.255.0.0
object network loader
object network ospf-10
 subnet 10.0.2.0 255.255.255.0
object network ospf-20
 subnet 10.0.20.0 255.255.255.0
object network ospf-30
 subnet 10.0.30.0 255.255.255.0
object network ospf-40
 subnet 192.168.122.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1

access-list inside_access_in extended permit ip object obj-100 any4 
access-list inside_access_in extended permit ip object ospf-10 any4 
access-list inside_access_in extended permit ip object ospf-20 any4 
access-list inside_access_in extended permit ip object ospf-30 any4 
access-list inside_access_in extended permit ip object ospf-40 any4 
access-list outside_access_in extended permit ip 192.168.0.0 255.255.0.0 any 
access-list outside_access_in extended permit ip 10.0.0.0 255.0.0.0 any 
access-list outside_access_in extended permit ip 172.16.0.0 255.240.0.0 any 
pager lines 24
logging enable
logging buffer-size 987564
logging buffered informational
logging asdm informational
mtu inside 1450
mtu outside 1450
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-762-150.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!

object network obj-1000
 nat (inside,outside) dynamic interface
object network ospf-10
 nat (inside,outside) dynamic interface
object network ospf-20
 nat (inside,outside) dynamic interface
object network ospf-30
 nat (inside,outside) dynamic interface
object network ospf-40
 nat (inside,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
access-group inside_access_in in interface inside
access-group open-acl in interface outside
router ospf 5505
 router-id 5.5.5.5
 network 10.0.0.0 255.255.0.0 area 0
 log-adj-changes
 redistribute static subnets
!
route outside 0.0.0.0 0.0.0.0 7.4.1.1

management-access inside

dhcp-client client-id interface outside
dhcpd dns 84.200.69.80 8.8.8.8
dhcpd update dns both override 
dhcpd option 3 ip 10.0.0.1
!
dhcpd address 10.0.1.100-10.0.1.130 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 216.228.192.69 source outside

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:72ade258e5ac8ab26363b2a9beb2724a
: end
cisASA#

(PFsense Config is in GUI format)

But pretty much the same