Re: [OSL | CCIE_Security] EIGRP distribute-list on ASA

[Eugene Pefti]

Hi Raman,
I may have put a lot of redundant words and obscured the gist of my problem.
Again, this is a topology:

BB2---(192.10.1.0)--------SW1 ------------- 
(EIGRP)--------ASA--------(EIGRP)---------R4
                              (loopback-150.1.7.7)

I don't have any problem with routes on SW1 (I'm showing only the routes in 
question and skipping all others for brevity)

SW1#sh ip route
C    192.10.1.0/24 is directly connected, Vlan72
C    150.1.7.0/24 is directly connected, Loopback0

Routes on ASA include route to 150.1.7.0/24 received from SW1 via EIGRP:

ASA1(config-router)# sh route

C    163.1.127.0 255.255.255.0 is directly connected, IN
C    163.1.124.0 255.255.255.0 is directly connected, OUT
D EX 192.10.1.0 255.255.255.0 [170/258816] via 163.1.127.7, 35:42:44, IN
D    150.1.7.0 255.255.255.0 [90/156160] via 163.1.127.7, 11:03:33, IN

Once ASA received routes from SW1 it advertises them to R4. If we don't do any 
route filtering with "distribute-list REDISTR-ACL" command then by default 
everything known from SW1 is passed to R4. If we start doing some fancy 
filtering saying that only routes/hosts defined in the  REDISTR-ACL should be 
passed on the specific interface then the ASA should do likewise. And this is 
what doesn't happen.

Eugene

From: Raman Kalia <rkal...@yahoo.com<mailto:rkal...@yahoo.com>>
Reply-To: Raman Kalia <rkal...@yahoo.com<mailto:rkal...@yahoo.com>>
Date: Tuesday, June 19, 2012 7:27 PM
To: 
"ccie_security@onlinestudylist.com<mailto:ccie_security@onlinestudylist.com>" 
<ccie_security@onlinestudylist.com<mailto:ccie_security@onlinestudylist.com>>
Subject: Re: [OSL | CCIE_Security] CCIE_Security Digest, Vol 72, Issue 84

Loopback interface is a connected interface and route will show up as connected 
only.  It cannot appear as a route from a routing protocol.  That is the reason 
it does not show up.  Nothing wrong with your ACL here.  It is the way the 
connected routes work.  They will show up as connected only.   Can you try 
"redistribute connected" under eigrp process on ASA?  That should get it across 
to R4 along with the other route (192.10.1.0) in distribute-list.


________________________________
From: 
"ccie_security-requ...@onlinestudylist.com<mailto:ccie_security-requ...@onlinestudylist.com>"
 
<ccie_security-requ...@onlinestudylist.com<mailto:ccie_security-requ...@onlinestudylist.com>>
To: ccie_security@onlinestudylist.com<mailto:ccie_security@onlinestudylist.com>
Sent: Tuesday, June 19, 2012 7:56:34 PM
Subject: CCIE_Security Digest, Vol 72, Issue 84

Send CCIE_Security mailing list submissions to
    ccie_security@onlinestudylist.com<mailto:ccie_security@onlinestudylist.com>

To subscribe or unsubscribe via the World Wide Web, visit
    http://onlinestudylist.com/mailman/listinfo/ccie_security
or, via email, send a message with subject or body 'help' to
    
ccie_security-requ...@onlinestudylist.com<mailto:ccie_security-requ...@onlinestudylist.com>

You can reach the person managing the list at
    
ccie_security-ow...@onlinestudylist.com<mailto:ccie_security-ow...@onlinestudylist.com>

When replying, please edit your Subject line so it is more specific
than "Re: Contents of CCIE_Security digest..."


Today's Topics:

  1. Re: EIGRP distribute-list on ASA (Eugene Pefti)
  2. Re: aggressive mode with hostname IKE ID (Eugene Pefti)


----------------------------------------------------------------------

Message: 1
Date: Tue, 19 Jun 2012 20:36:33 +0000
From: Eugene Pefti <eug...@koiossystems.com<mailto:eug...@koiossystems.com>>
To: Matt Manire <mman...@firstrate.com<mailto:mman...@firstrate.com>>, ccie 
security
    
<ccie_security@onlinestudylist.com<mailto:ccie_security@onlinestudylist.com>>
Subject: Re: [OSL | CCIE_Security] EIGRP distribute-list on ASA
Message-ID:
    
<8457433e2350ff4db892161102b3cfed23288...@w2k8srv-exch.koiossystems.com<mailto:8457433e2350ff4db892161102b3cfed23288...@w2k8srv-exch.koiossystems.com>>

Content-Type: text/plain; charset="us-ascii"

I can only make a sigh and this is not a sigh of relief unfortunately.
I tried to change the host route in the SW1 EIGRP statement from 150.1.7.7 
0.0.0.0 to be 150.1.7.0 0.0.0.255
And the ASA ACL from
access-list EIGRP-REDIST standard permit host 150.1.7.7
to
access-list EIGRP-REDIST standard permit 150.1.7.0 255.255.255.0
Still no luck, wondering what's the difference between these two ACE from the 
ASA perspective:

access-list EIGRP-REDIST standard permit 192.10.1.0 255.255.255.0
access-list EIGRP-REDIST standard permit 150.1.7.0 255.255.255.0

It receives both routes from the switch but the route to 192.10.1.0/24 is 
passed to the neighboring EIGRP peer but not 150.1.7.0

My sigh of frustration was mostly caused by what I ran into this morning while 
working with our client.
Their ASA firewalls running 8.2.x. code started rebooting after the upgrade 
when SSH traffic was passing it. The client is power generation utility and for 
them it is VERY critical.
Cisco just bluntly provided them with the bug ID saying that all ASA software 
is affected:

===========================================================
ASA may reload with traceback related to SSH, PING, DHCP, or IPSEC
Symptom:
ASA may reload with a traceback in one of the following thread names:

Thread Name: DATAPATH-x-xxxx (Datapath can have different numbers here)
Thread Name: DHCP Client
Thread Name: SSH

Conditions:
Affects all ASA platforms.

Workaround:
None

ASA 8.4.3.5 traceback async_lock_global_work_queue_service
Symptom: ASA running 8.4.3.9 crashes Conditions: Still under investigation 
Workaround: None

ASA 5505 8.4(3)9 traceback with traceback Thread Name: DHCP Client
Symptom: ASA crashed with traceback in Thread Name: DHCP Client Conditions: ASA 
8.4(3)9 Workaround: None

ASA 8.0.5 Traceback in dispatch unit
Symptom: ASA may reload and produce a crash. Conditions: First seen on ASA 
8.0.5.27
================================================================



From: Matt Manire [mailto:mman...@firstrate.com<mailto:mman...@firstrate.com>]
Sent: Tuesday, June 19, 2012 7:45 AM
To: Eugene Pefti; ccie security
Subject: RE: [OSL | CCIE_Security] EIGRP distribute-list on ASA

Eugene,

It may be a bug in the ASA code.  I ran into the same issue in my test lab and 
I seem to recall this being a known bug.  I am running version 8.0(4)32 on an 
old PIX.

Thanks,

Matt Manire
CCSP, CCNP, CCDP, MCSE 2003 & MCSE 2000
Information Systems Security Manager
mman...@firstrate.com<mailto:mman...@firstrate.com><mailto:mman...@firstrate.com<mailto:mman...@firstrate.com>>
t: 817.525.1863
f: 817.525.1903
m: 817.271.9165
First Rate | 1903 Ascension Boulevard | Arlington, TX 76006| 
www.FirstRate.com<http://www.firstrate.com/>


From: 
ccie_security-boun...@onlinestudylist.com<mailto:ccie_security-boun...@onlinestudylist.com><mailto:ccie_security-boun...@onlinestudylist.com<mailto:ccie_security-boun...@onlinestudylist.com>>
 
[mailto:ccie_security-boun...@onlinestudylist.com<mailto:ccie_security-boun...@onlinestudylist.com><mailto:ccie_security-boun...@onlinestudylist.com<mailto:ccie_security-boun...@onlinestudylist.com>>]
 On Behalf Of Eugene Pefti
Sent: Monday, June 18, 2012 10:13 PM
To: ccie security
Subject: [OSL | CCIE_Security] EIGRP distribute-list on ASA

Guys,
What's wrong with my distribute-list that I'm trying to setup on the ASA to 
allow only routes 192.10.1.0/24<http://192.10.1.0/24> and 150.1.7.7 to send to 
R4 ?

The topology is as follows:

BB2---(192.10.1.0)--------SW1 ------------- 
(EIGRP)--------ASA--------(EIGRP)---------R4
                                      (loopback-150.1.7.7)


I create an ACL on the ASA to include the above said networks to be included in 
EIGRP updates:

access-list EIGRP-REDIST standard permit host 150.1.7.7
access-list EIGRP-REDIST standard permit 192.10.1.0 255.255.255.0

and instruct it to send an update to R4 on its OUT interface

router eigrp 100
  distribute-list EIGRP-REDIST out interface OUT
  network 163.1.124.0 255.255.255.0
  network 163.1.127.0 255.255.255.0

Then I verify routes on R4 and see that there's route to 
192.10.1.0/24<http://192.10.1.0/24> network but no route to 150.1.7.7
Removing the distribute-list restores the route to SW1 loopback on R4.

Eugene

-------------- next part --------------
An HTML attachment was scrubbed...
URL: 
</archives/ccie_security/attachments/20120619/d2b44c7a/attachment-0001.html>

------------------------------

Message: 2
Date: Tue, 19 Jun 2012 22:56:03 +0000
From: Eugene Pefti <eug...@koiossystems.com<mailto:eug...@koiossystems.com>>
To: Bruno Silva <auranpr...@gmail.com<mailto:auranpr...@gmail.com>>, ccie 
security
    
<ccie_security@onlinestudylist.com<mailto:ccie_security@onlinestudylist.com>>
Subject: Re: [OSL | CCIE_Security] aggressive mode with hostname IKE
    ID
Message-ID:
    
<8457433e2350ff4db892161102b3cfed23288...@w2k8srv-exch.koiossystems.com<mailto:8457433e2350ff4db892161102b3cfed23288...@w2k8srv-exch.koiossystems.com>>

Content-Type: text/plain; charset="iso-8859-1"

Common, Bruno, you didn't fail. We are all discussing here numerous Cisco 
pitfalls they threw on us. Sometimes the discussion becomes a verification of 
our knowledge and validation of Cisco documentation.
Keep on ;)

From: 
ccie_security-boun...@onlinestudylist.com<mailto:ccie_security-boun...@onlinestudylist.com>
 
[mailto:ccie_security-boun...@onlinestudylist.com<mailto:ccie_security-boun...@onlinestudylist.com>]
 On Behalf Of Bruno Silva
Sent: Monday, June 18, 2012 10:27 PM
To: ccie security
Subject: Re: [OSL | CCIE_Security] aggressive mode with hostname IKE ID

Hi Eugene,

Sorry if I seemed a little rough on my answer, it was not the intention. This 
is a good question after all.

I`m just trying to be more active on the forum so I can learn better, I just 
took my first attempt and I failed so it`s always good to see all the 
discussions here because it helps everyone on the path. After all we are on the 
same boat. =)

BR,
Bruno Silva.

Em 19/06/2012, ?s 01:42, Eugene Pefti escreveu:


Well, this was not my question, Bruno ;)
It was Imre who started this thread and I tried to understand what was going on.
Imre, what do you have in your crypto map for the peer? I'm almost positive 
it's an IP address and as he stated there's neither DNS server nor IP host 
mapping configured

Eugene

From: 
ccie_security-boun...@onlinestudylist.com<mailto:ccie_security-boun...@onlinestudylist.com><mailto:ccie_security-boun...@onlinestudylist.com<mailto:ccie_security-boun...@onlinestudylist.com>>
 
[mailto:ccie_security-boun...@onlinestudylist.com<mailto:ccie_security-boun...@onlinestudylist.com>]
 On Behalf Of Bruno Silva
Sent: Monday, June 18, 2012 7:15 PM
To: ccie security
Subject: Re: [OSL | CCIE_Security] aggressive mode with hostname IKE ID

Hi Eugene,

Sorry, again, as other times I have put myself ahead of everything. When you 
configure your crypto map to apply in your interface you have to put the "set 
peer" command with the ip address, unless you have a DNS server configured for 
it to resolve the hostname.

So again, there are 2 different sessions here, first you configure the "crypto 
isakmp key [key] host [hostname], the other section is you configuring your 
crypto map:

crypto map l2l 10 ipsec-isakp
            set transform [transform-set]
            match address [acl]
            set peer [peer ip address] --->>> here you can only put a hostname 
if you have a dns configured, this is how the initiator and responder matches 
the ip address with the hostname.

Again, unless I am wrong this is how you configured your VPN, if you did put a 
hostname instead of the ip address then you have a dns server configured on 
your router.

Hopefully this solves your question.

BR,
Bruno Silva.

Em 18/06/2012, ?s 22:04, Eugene Pefti escreveu:



Hi Bruno,
Haven't we seen the debugs where the initiator sends its hostname as an ID not 
the IP address? The main question is how the responder knows the IP address of 
the initiator.

Eugene

From: 
ccie_security-boun...@onlinestudylist.com<mailto:ccie_security-boun...@onlinestudylist.com><mailto:ccie_security-boun...@onlinestudylist.com<mailto:ccie_security-boun...@onlinestudylist.com>>
 
[mailto:ccie_security-boun...@onlinestudylist.com<mailto:ccie_security-boun...@onlinestudylist.com>]
 On Behalf Of Bruno Silva
Sent: Sunday, June 17, 2012 11:38 PM
To: ccie security
Subject: Re: [OSL | CCIE_Security] aggressive mode with hostname IKE ID

Hi,

When u have aggressive mode u exchange messages with the ids in cleartext while 
performing dh, i believe that's the main reason why you don't have to have a 
dns server configured in order to make it work.

If it was main mode it would not work because when the isakmp responder 
receives a main mode proposal from initiator it would require knowing the psk 
in advance but in this case the responder do not know the id of the initiator 
yet so it has to select the ip address of the initiator as the id, in this case 
even if u have configured the hostname as the id it would use the ip address 
for the tunnel names, that is not the case with aggressive mode because the 
responder knows the id either if it's the hostname or the ip address.

Br,
Bruno silva

Enviado via iPhone

Em 15/06/2012, ?s 14:54, Imre Oszkar 
<oszk...@gmail.com<mailto:oszk...@gmail.com><mailto:oszk...@gmail.com<mailto:oszk...@gmail.com>>>
 escreveu:
I don't have anything else on the routers..interface config and routing, it's a 
clean setup just to play with the  aggressive mode.
Even if I had a wildcard preshared key,  hostname is used as the  IKE identity 
so should not match on an address based wildcard.
At least this is what I would expect.



On Fri, Jun 15, 2012 at 1:06 AM, Eugene Pefti 
<eug...@koiossystems.com<mailto:eug...@koiossystems.com><mailto:eug...@koiossystems.com<mailto:eug...@koiossystems.com>>>
 wrote:
Doesn't make sense to me either.
It's like you mentioned DNS or "ip host" entry that resolves hostname to IP. 
Any leftovers "crypto isakmp peer hostname" by any chance ? Or a wild card 
0.0.0.0 pre-shared key ?
What happens if you remove the part for aggressive mode ? Does R1 authenticate 
R7 ?
I remember there was a trick in one of the labs and even an error in the 
solution guide but in your case it is kind of academic.

From: Imre Oszkar 
<oszk...@gmail.com<mailto:oszk...@gmail.com><mailto:oszk...@gmail.com<mailto:oszk...@gmail.com>>>
Date: Thursday, June 14, 2012 2:57 PM
To: ccie security 
<ccie_security@onlinestudylist.com<mailto:ccie_security@onlinestudylist.com><mailto:ccie_security@onlinestudylist.com<mailto:ccie_security@onlinestudylist.com>>>
Subject: [OSL | CCIE_Security] aggressive mode with hostname IKE ID

crypto isakmp peer address

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com<http://www.ipexpert.com<http://www.ipexpert.com/>>

Are you a CCNP or CCIE and looking for a job? Check 
outwww.PlatinumPlacement.com<http://www.PlatinumPlacement.com<http://www.platinumplacement.com/>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </archives/ccie_security/attachments/20120619/06e27ff7/attachment.html>

End of CCIE_Security Digest, Vol 72, Issue 84
*********************************************



_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com