For the sake of reach ability i advertise those loopbacks in IGPs of
respective R1 and R2 routers ....and now i see them on ASA
and can ping also but now another interesting problem is appearing :
R1 can ping 200.200.200.200 with 5 bangs successful but R2 fails to bang
100.100.100.100 and packets drop !!!
ASA has following table :
BOX/sec# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter
area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
O 200.200.200.200 255.255.255.255 [110/11] via 1.1.1.1, 0:02:42, outside
C 1.1.1.0 255.255.255.0 is directly connected, outside
C 2.2.2.0 255.255.255.0 is directly connected, inside
R 100.100.100.0 255.255.255.0 [120/1] via 2.2.2.1, 0:00:16, inside
O IA 20.20.20.20 255.255.255.255 [110/11] via 1.1.1.1, 0:02:42, outside
R 11.11.11.11 255.255.255.255 [120/1] via 2.2.2.1, 0:00:16, inside
BOX/sec#
And R1 and R2 routing tables are below :
==============================
R1 :-
==========================
R1#sh ip ro
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static
route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
200.200.200.0/24 is variably subnetted, 2 subnets, 2 masks
R 200.200.200.200/32 [120/1] via 2.2.2.2, 00:00:15, FastEthernet0/1
B 200.200.200.0/24 [20/0] via 20.20.20.20, 00:25:17
1.0.0.0/24 is subnetted, 1 subnets
R 1.1.1.0 [120/1] via 2.2.2.2, 00:00:15, FastEthernet0/1
2.0.0.0/24 is subnetted, 1 subnets
C 2.2.2.0 is directly connected, FastEthernet0/1
100.0.0.0/24 is subnetted, 1 subnets
C 100.100.100.0 is directly connected, Loopback100
20.0.0.0/32 is subnetted, 1 subnets
R 20.20.20.20 [120/1] via 2.2.2.2, 00:00:15, FastEthernet0/1
11.0.0.0/32 is subnetted, 1 subnets
C 11.11.11.11 is directly connected, Loopback1
R2 :-
==========================
R2#sh ip ro
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static
route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C 200.200.200.0/24 is directly connected, Loopback200
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, FastEthernet0/0
2.0.0.0/24 is subnetted, 1 subnets
O E2 2.2.2.0 [110/1] via 1.1.1.2, 00:26:33, FastEthernet0/0
100.0.0.0/24 is subnetted, 1 subnets
B 100.100.100.0 [20/0] via 11.11.11.11, 00:25:51
20.0.0.0/32 is subnetted, 1 subnets
C 20.20.20.20 is directly connected, Loopback2
11.0.0.0/32 is subnetted, 1 subnets
O E2 11.11.11.11 [110/1] via 1.1.1.2, 00:26:33, FastEthernet0/0
R2#
On Wed, Dec 29, 2010 at 9:31 PM, kamran shakil <[email protected]>wrote:
> ASA can ping R1 and R2 those loopbacks which are coming thru IGP , and ASA
> cannot ping those loopbacks which are only advertised in BGP ???? How to
> resolve this ? can this be possible in CCIE SEC. Exam ????
>
> On Wed, Dec 29, 2010 at 9:31 PM, kamran shakil
> <[email protected]>wrote:
>
>> ASA can ping R1 and R2 those loopbacks which are coming thru IGP , and ASA
>> cannot ping those loopbacks which are only advertised in BGP ???? How to
>> resolve this ? can this be possible in CCIE SEC. Exam ????
>>
>> On Wed, Dec 29, 2010 at 9:22 PM, kamran shakil
>> <[email protected]>wrote:
>>
>>> so where exactly is the mistrake or any suggestion you can make or give
>>> me ????
>>>
>>> i sent the configs before as well ! Plz note that there is no error
>>> coming of authenticatino or tcp packet random seq .....
>>>
>>>
>>> On Wed, Dec 29, 2010 at 9:19 PM, Piotr Matusiak <[email protected]> wrote:
>>>
>>>> ASA has no idea how to route packets destined to 100.100.100.0 and
>>>> 200.200.200.0 networks.
>>>>
>>>>
>>>>
>>>> 2010/12/29 kamran shakil <[email protected]>
>>>>
>>>>> I will show you all routes :
>>>>>
>>>>> ASA output :
>>>>> =============
>>>>>
>>>>>
>>>>> C 1.1.1.0 255.255.255.0 is directly connected, outside
>>>>> C 2.2.2.0 255.255.255.0 is directly connected, inside
>>>>> O IA 20.20.20.20 255.255.255.255 [110/11] via 1.1.1.1, 0:00:01, outside
>>>>> R 11.11.11.11 255.255.255.255 [120/1] via 2.2.2.1, 0:00:13, inside
>>>>> BOX/sec#
>>>>>
>>>>>
>>>>> R1 Output :
>>>>> ===========
>>>>>
>>>>> R1#sh ip ro
>>>>> Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
>>>>> D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
>>>>> N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
>>>>> E1 - OSPF external type 1, E2 - OSPF external type 2
>>>>> i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS
>>>>> level-2
>>>>> ia - IS-IS inter area, * - candidate default, U - per-user
>>>>> static route
>>>>> o - ODR, P - periodic downloaded static route
>>>>>
>>>>> Gateway of last resort is not set
>>>>>
>>>>> B 200.200.200.0/24 [20/0] via 20.20.20.20, 00:00:29
>>>>> 1.0.0.0/24 is subnetted, 1 subnets
>>>>> R 1.1.1.0 [120/1] via 2.2.2.2, 00:00:23, FastEthernet0/1
>>>>> 2.0.0.0/24 is subnetted, 1 subnets
>>>>> C 2.2.2.0 is directly connected, FastEthernet0/1
>>>>> 100.0.0.0/24 is subnetted, 1 subnets
>>>>> C 100.100.100.0 is directly connected, Loopback100
>>>>> 20.0.0.0/32 is subnetted, 1 subnets
>>>>> R 20.20.20.20 [120/1] via 2.2.2.2, 00:00:23, FastEthernet0/1
>>>>> 11.0.0.0/32 is subnetted, 1 subnets
>>>>> C 11.11.11.11 is directly connected, Loopback1
>>>>> R1#
>>>>>
>>>>> R1#sh ip bgp
>>>>> BGP table version is 3, local router ID is 100.100.100.100
>>>>> Status codes: s suppressed, d damped, h history, * valid, > best, i -
>>>>> internal,
>>>>> r RIB-failure, S Stale
>>>>> Origin codes: i - IGP, e - EGP, ? - incomplete
>>>>>
>>>>> Network Next Hop Metric LocPrf Weight Path
>>>>> *> 100.100.100.0/24 0.0.0.0 0 32768 i
>>>>> *> 200.200.200.0 20.20.20.20 0 0 1 i
>>>>> R1#
>>>>>
>>>>>
>>>>>
>>>>> R2 Output :
>>>>> ============
>>>>>
>>>>> R2#sh ip ro
>>>>> Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
>>>>> D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
>>>>> N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
>>>>> E1 - OSPF external type 1, E2 - OSPF external type 2
>>>>> i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS
>>>>> level-2
>>>>> ia - IS-IS inter area, * - candidate default, U - per-user
>>>>> static route
>>>>> o - ODR, P - periodic downloaded static route
>>>>>
>>>>> Gateway of last resort is not set
>>>>>
>>>>> C 200.200.200.0/24 is directly connected, Loopback200
>>>>> 1.0.0.0/24 is subnetted, 1 subnets
>>>>> C 1.1.1.0 is directly connected, FastEthernet0/0
>>>>> 2.0.0.0/24 is subnetted, 1 subnets
>>>>> O E2 2.2.2.0 [110/1] via 1.1.1.2, 00:02:08, FastEthernet0/0
>>>>> 100.0.0.0/24 is subnetted, 1 subnets
>>>>> B 100.100.100.0 [20/0] via 11.11.11.11, 00:01:25
>>>>> 20.0.0.0/32 is subnetted, 1 subnets
>>>>> C 20.20.20.20 is directly connected, Loopback2
>>>>> 11.0.0.0/32 is subnetted, 1 subnets
>>>>> O E2 11.11.11.11 [110/1] via 1.1.1.2, 00:02:08, FastEthernet0/0
>>>>> R2#
>>>>>
>>>>>
>>>>> R2#sh ip bgp
>>>>> BGP table version is 3, local router ID is 200.200.200.200
>>>>> Status codes: s suppressed, d damped, h history, * valid, > best, i -
>>>>> internal,
>>>>> r RIB-failure, S Stale
>>>>> Origin codes: i - IGP, e - EGP, ? - incomplete
>>>>>
>>>>> Network Next Hop Metric LocPrf Weight Path
>>>>> *> 100.100.100.0/24 11.11.11.11 0 0 2 i
>>>>> *> 200.200.200.0 0.0.0.0 0 32768 i
>>>>> R2#
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Wed, Dec 29, 2010 at 7:09 PM, Piotr Matusiak <[email protected]>wrote:
>>>>>
>>>>>> Do you see BGP routes in RIB? Can you send
>>>>>> sho ip bgp
>>>>>> sho ip route
>>>>>>
>>>>>> 2010/12/29 kamran shakil <[email protected]>
>>>>>>
>>>>>>> Dears,
>>>>>>> I am seriously confused here .... i made a very simple setup to test
>>>>>>> BGP between 2 routers , putting 1 ASA in the middle and was doing the
>>>>>>> lab,
>>>>>>> that finally i noticed something strang ??? my ROUTES are all OK , i
>>>>>>> can
>>>>>>> learn routes on the remote routers thru ASA, and i did the TCP-OPTIONS
>>>>>>> and
>>>>>>> also RANDOM SEQ. disable, and since nat-control was enabled, I also did
>>>>>>> the
>>>>>>> static IDENTITY NAT .... but PING is not
>>>>>>> working............................
>>>>>>> !!! I am pasting the configs..
>>>>>>>
>>>>>>> " EXPERTS....guide me ..plz "
>>>>>>>
>>>>>>>
>>>>>>> * R1 -- > ASA ---- R2
>>>>>>> *
>>>>>>>
>>>>>>>
>>>>>>> R1 :
>>>>>>> ===
>>>>>>> interface Loopback1
>>>>>>> ip address 11.11.11.11 255.255.255.255
>>>>>>> !
>>>>>>> interface Loopback100
>>>>>>> ip address 100.100.100.100 255.255.255.0
>>>>>>> !
>>>>>>> interface FastEthernet0/1
>>>>>>> ip address 2.2.2.1 255.255.255.0
>>>>>>> duplex auto
>>>>>>> speed auto
>>>>>>> !
>>>>>>> router rip
>>>>>>> version 2
>>>>>>> network 2.0.0.0
>>>>>>> network 11.0.0.0
>>>>>>> no auto-summary
>>>>>>> !
>>>>>>> router bgp 2
>>>>>>> no synchronization
>>>>>>> bgp log-neighbor-changes
>>>>>>> network 100.100.100.0 mask 255.255.255.0
>>>>>>> neighbor 20.20.20.20 remote-as 1
>>>>>>> neighbor 20.20.20.20 password x
>>>>>>> neighbor 20.20.20.20 ebgp-multihop 10
>>>>>>> neighbor 20.20.20.20 update-source Loopback1
>>>>>>> no auto-summary
>>>>>>>
>>>>>>>
>>>>>>> ASA :
>>>>>>> ======
>>>>>>> interface Ethernet0/0
>>>>>>> description Connected to R2
>>>>>>> nameif outside
>>>>>>> security-level 0
>>>>>>> ip address 1.1.1.2 255.255.255.0
>>>>>>> !
>>>>>>> interface Ethernet0/1
>>>>>>> description Connected to R1
>>>>>>> nameif inside
>>>>>>> security-level 100
>>>>>>> ip address 2.2.2.2 255.255.255.0
>>>>>>>
>>>>>>>
>>>>>>> access-list outside-in extended permit icmp any any
>>>>>>> access-list outside-in extended permit tcp any any eq bgp
>>>>>>> !
>>>>>>> tcp-map OPTION19
>>>>>>> tcp-options range 19 19 allow
>>>>>>>
>>>>>>> pager lines 24
>>>>>>> logging console debugging
>>>>>>> logging buffered debugging
>>>>>>> mtu outside 1500
>>>>>>> mtu inside 1500
>>>>>>> no failover
>>>>>>> icmp unreachable rate-limit 1 burst-size 1
>>>>>>> icmp permit any outside
>>>>>>> icmp permit any inside
>>>>>>> no asdm history enable
>>>>>>> arp timeout 14400
>>>>>>> nat-control
>>>>>>> global (outside) 1 interface
>>>>>>> nat (inside) 1 0.0.0.0 0.0.0.0
>>>>>>> static (inside,outside) 11.11.11.11 11.11.11.11 netmask
>>>>>>> 255.255.255.255
>>>>>>> access-group outside-in in interface outside
>>>>>>> !
>>>>>>> router ospf 1
>>>>>>> network 1.1.1.0 255.255.255.0 area 0
>>>>>>> log-adj-changes
>>>>>>> redistribute rip metric 1 subnets
>>>>>>> !
>>>>>>> router rip
>>>>>>> network 2.0.0.0
>>>>>>> redistribute ospf 1 metric 1
>>>>>>> version 2
>>>>>>> no auto-summary
>>>>>>> !
>>>>>>> class-map BGP_CMAP
>>>>>>> match port tcp eq bgp
>>>>>>> class-map inspection_default
>>>>>>> match default-inspection-traffic
>>>>>>> !
>>>>>>> !
>>>>>>> policy-map global_policy
>>>>>>> class BGP_CMAP
>>>>>>> set connection random-sequence-number disable
>>>>>>> set connection advanced-options OPTION19
>>>>>>> class inspection_default
>>>>>>> !
>>>>>>> service-policy global_policy global
>>>>>>> prompt hostname priority context
>>>>>>> Cryptochecksum:65755c185976d9164a0b06eee25f2f42
>>>>>>>
>>>>>>>
>>>>>>> R2 :
>>>>>>> ======
>>>>>>>
>>>>>>> interface Loopback2
>>>>>>> ip address 20.20.20.20 255.255.255.255
>>>>>>> !
>>>>>>> interface Loopback200
>>>>>>> ip address 200.200.200.200 255.255.255.0
>>>>>>> !
>>>>>>> interface FastEthernet0/0
>>>>>>> ip address 1.1.1.1 255.255.255.0
>>>>>>> duplex auto
>>>>>>> speed auto
>>>>>>> !
>>>>>>> router ospf 1
>>>>>>> log-adjacency-changes
>>>>>>> network 1.1.1.0 0.0.0.255 area 0
>>>>>>> network 20.20.20.20 0.0.0.0 area 1
>>>>>>> !
>>>>>>> router bgp 1
>>>>>>> no synchronization
>>>>>>> bgp log-neighbor-changes
>>>>>>> network 200.200.200.0
>>>>>>> neighbor 11.11.11.11 remote-as 2
>>>>>>> neighbor 11.11.11.11 password x
>>>>>>> neighbor 11.11.11.11 ebgp-multihop 10
>>>>>>> neighbor 11.11.11.11 update-source Loopback2
>>>>>>> no auto-summary
>>>>>>>
>>>>>>>
>>>>>>> ---------------------------------------------------------------------------------------------------------------------------------------
>>>>>>> Guide me to understand this PING issue for BGP network !!!!
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> For more information regarding industry leading CCIE Lab training,
>>>>>>> please visit www.ipexpert.com
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
