Hi Eugene, I have been thinking about your question and why the exercise is not correct and here are my thoughts on that:
1 - As you stated before here is your routing table: > C 163.1.127.0 255.255.255.0 is directly connected, IN > C 163.1.124.0 255.255.255.0 is directly connected, OUT > D EX 192.10.1.0 255.255.255.0 [170/258816] via 163.1.127.7, 35:42:44, IN > D 150.1.7.0 255.255.255.0 [90/156160] via 163.1.127.7, 11:03:33, IN Let`s remember a basic concept of the ASA: The main function of the ASA is to act as a firewall, so the first function is filtering, the second function routing. Based on that cisco made the ASA quite different for route filtering than routers. 2 - Knowing about the point above we can note that the network received by your ASA on the EIGRP is 150.1.7.0/24, so the prefix of your network is a /24, which cannot be changed by a distribute list, so if you make a distribute list as the following: access-list EIGRP_DIST stand permit host 150.1.7.7 You will be changing the prefix received by your ASA, in this case, you are redistributing a route that`s not on the routing table, a /32 route. By doing that you would be changing the prefix previously received by the ASA. I`m not a routing specialist so IDK if it`s possible to change the prefix received on a router in order to redistribute it besides sumarying(don`t kow if that`s correctly written) That being said, on this exercise we tried to change the prefix, what on the ASA is not possible at all, at least not that I know. After changing it you have to clear the EIGRP proccess or reload the router (in my case that`s what made it work because of gns3) Hopefully that helps you. =) BR, Bruno Silva Em 20/06/2012, às 04:23, Eugene Pefti escreveu: > Hi Raman, > I may have put a lot of redundant words and obscured the gist of my problem. > Again, this is a topology: > > BB2---(192.10.1.0)--------SW1 ------------- > (EIGRP)--------ASA--------(EIGRP)---------R4 > (loopback-150.1.7.7) > > I don't have any problem with routes on SW1 (I'm showing only the routes in > question and skipping all others for brevity) > > SW1#sh ip route > C 192.10.1.0/24 is directly connected, Vlan72 > C 150.1.7.0/24 is directly connected, Loopback0 > > Routes on ASA include route to 150.1.7.0/24 received from SW1 via EIGRP: > > ASA1(config-router)# sh route > > C 163.1.127.0 255.255.255.0 is directly connected, IN > C 163.1.124.0 255.255.255.0 is directly connected, OUT > D EX 192.10.1.0 255.255.255.0 [170/258816] via 163.1.127.7, 35:42:44, IN > D 150.1.7.0 255.255.255.0 [90/156160] via 163.1.127.7, 11:03:33, IN > > Once ASA received routes from SW1 it advertises them to R4. If we don't do > any route filtering with "distribute-list REDISTR-ACL" command then by > default everything known from SW1 is passed to R4. If we start doing some > fancy filtering saying that only routes/hosts defined in the REDISTR-ACL > should be passed on the specific interface then the ASA should do likewise. > And this is what doesn't happen. > > Eugene > > From: Raman Kalia <[email protected]> > Reply-To: Raman Kalia <[email protected]> > Date: Tuesday, June 19, 2012 7:27 PM > To: "[email protected]" <[email protected]> > Subject: Re: [OSL | CCIE_Security] CCIE_Security Digest, Vol 72, Issue 84 > > Loopback interface is a connected interface and route will show up as > connected only. It cannot appear as a route from a routing protocol. That > is the reason it does not show up. Nothing wrong with your ACL here. It is > the way the connected routes work. They will show up as connected only. > Can you try "redistribute connected" under eigrp process on ASA? That should > get it across to R4 along with the other route (192.10.1.0) in > distribute-list. > > > From: "[email protected]" > <[email protected]> > To: [email protected] > Sent: Tuesday, June 19, 2012 7:56:34 PM > Subject: CCIE_Security Digest, Vol 72, Issue 84 > > Send CCIE_Security mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > http://onlinestudylist.com/mailman/listinfo/ccie_security > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of CCIE_Security digest..." > > > Today's Topics: > > 1. Re: EIGRP distribute-list on ASA (Eugene Pefti) > 2. Re: aggressive mode with hostname IKE ID (Eugene Pefti) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 19 Jun 2012 20:36:33 +0000 > From: Eugene Pefti <[email protected]> > To: Matt Manire <[email protected]>, ccie security > <[email protected]> > Subject: Re: [OSL | CCIE_Security] EIGRP distribute-list on ASA > Message-ID: > <8457433e2350ff4db892161102b3cfed23288...@w2k8srv-exch.koiossystems.com> > > Content-Type: text/plain; charset="us-ascii" > > I can only make a sigh and this is not a sigh of relief unfortunately. > I tried to change the host route in the SW1 EIGRP statement from 150.1.7.7 > 0.0.0.0 to be 150.1.7.0 0.0.0.255 > And the ASA ACL from > access-list EIGRP-REDIST standard permit host 150.1.7.7 > to > access-list EIGRP-REDIST standard permit 150.1.7.0 255.255.255.0 > Still no luck, wondering what's the difference between these two ACE from the > ASA perspective: > > access-list EIGRP-REDIST standard permit 192.10.1.0 255.255.255.0 > access-list EIGRP-REDIST standard permit 150.1.7.0 255.255.255.0 > > It receives both routes from the switch but the route to 192.10.1.0/24 is > passed to the neighboring EIGRP peer but not 150.1.7.0 > > My sigh of frustration was mostly caused by what I ran into this morning > while working with our client. > Their ASA firewalls running 8.2.x. code started rebooting after the upgrade > when SSH traffic was passing it. The client is power generation utility and > for them it is VERY critical. > Cisco just bluntly provided them with the bug ID saying that all ASA software > is affected: > > =========================================================== > ASA may reload with traceback related to SSH, PING, DHCP, or IPSEC > Symptom: > ASA may reload with a traceback in one of the following thread names: > > Thread Name: DATAPATH-x-xxxx (Datapath can have different numbers here) > Thread Name: DHCP Client > Thread Name: SSH > > Conditions: > Affects all ASA platforms. > > Workaround: > None > > ASA 8.4.3.5 traceback async_lock_global_work_queue_service > Symptom: ASA running 8.4.3.9 crashes Conditions: Still under investigation > Workaround: None > > ASA 5505 8.4(3)9 traceback with traceback Thread Name: DHCP Client > Symptom: ASA crashed with traceback in Thread Name: DHCP Client Conditions: > ASA 8.4(3)9 Workaround: None > > ASA 8.0.5 Traceback in dispatch unit > Symptom: ASA may reload and produce a crash. Conditions: First seen on ASA > 8.0.5.27 > ================================================================ > > > > From: Matt Manire [mailto:[email protected]] > Sent: Tuesday, June 19, 2012 7:45 AM > To: Eugene Pefti; ccie security > Subject: RE: [OSL | CCIE_Security] EIGRP distribute-list on ASA > > Eugene, > > It may be a bug in the ASA code. I ran into the same issue in my test lab > and I seem to recall this being a known bug. I am running version 8.0(4)32 > on an old PIX. > > Thanks, > > Matt Manire > CCSP, CCNP, CCDP, MCSE 2003 & MCSE 2000 > Information Systems Security Manager > [email protected]<mailto:[email protected]> > t: 817.525.1863 > f: 817.525.1903 > m: 817.271.9165 > First Rate | 1903 Ascension Boulevard | Arlington, TX 76006| > www.FirstRate.com<http://www.firstrate.com/> > > > From: > [email protected]<mailto:[email protected]> > > [mailto:[email protected]<mailto:[email protected]>] > On Behalf Of Eugene Pefti > Sent: Monday, June 18, 2012 10:13 PM > To: ccie security > Subject: [OSL | CCIE_Security] EIGRP distribute-list on ASA > > Guys, > What's wrong with my distribute-list that I'm trying to setup on the ASA to > allow only routes 192.10.1.0/24<http://192.10.1.0/24> and 150.1.7.7 to send > to R4 ? > > The topology is as follows: > > BB2---(192.10.1.0)--------SW1 ------------- > (EIGRP)--------ASA--------(EIGRP)---------R4 > (loopback-150.1.7.7) > > > I create an ACL on the ASA to include the above said networks to be included > in EIGRP updates: > > access-list EIGRP-REDIST standard permit host 150.1.7.7 > access-list EIGRP-REDIST standard permit 192.10.1.0 255.255.255.0 > > and instruct it to send an update to R4 on its OUT interface > > router eigrp 100 > distribute-list EIGRP-REDIST out interface OUT > network 163.1.124.0 255.255.255.0 > network 163.1.127.0 255.255.255.0 > > Then I verify routes on R4 and see that there's route to > 192.10.1.0/24<http://192.10.1.0/24> network but no route to 150.1.7.7 > Removing the distribute-list restores the route to SW1 loopback on R4. > > Eugene > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > </archives/ccie_security/attachments/20120619/d2b44c7a/attachment-0001.html> > > ------------------------------ > > Message: 2 > Date: Tue, 19 Jun 2012 22:56:03 +0000 > From: Eugene Pefti <[email protected]> > To: Bruno Silva <[email protected]>, ccie security > <[email protected]> > Subject: Re: [OSL | CCIE_Security] aggressive mode with hostname IKE > ID > Message-ID: > <8457433e2350ff4db892161102b3cfed23288...@w2k8srv-exch.koiossystems.com> > > Content-Type: text/plain; charset="iso-8859-1" > > Common, Bruno, you didn't fail. We are all discussing here numerous Cisco > pitfalls they threw on us. Sometimes the discussion becomes a verification of > our knowledge and validation of Cisco documentation. > Keep on ;) > > From: [email protected] > [mailto:[email protected]] On Behalf Of Bruno Silva > Sent: Monday, June 18, 2012 10:27 PM > To: ccie security > Subject: Re: [OSL | CCIE_Security] aggressive mode with hostname IKE ID > > Hi Eugene, > > Sorry if I seemed a little rough on my answer, it was not the intention. This > is a good question after all. > > I`m just trying to be more active on the forum so I can learn better, I just > took my first attempt and I failed so it`s always good to see all the > discussions here because it helps everyone on the path. After all we are on > the same boat. =) > > BR, > Bruno Silva. > > Em 19/06/2012, ?s 01:42, Eugene Pefti escreveu: > > > Well, this was not my question, Bruno ;) > It was Imre who started this thread and I tried to understand what was going > on. > Imre, what do you have in your crypto map for the peer? I'm almost positive > it's an IP address and as he stated there's neither DNS server nor IP host > mapping configured > > Eugene > > From: > [email protected]<mailto:[email protected]> > [mailto:[email protected]] On Behalf Of Bruno Silva > Sent: Monday, June 18, 2012 7:15 PM > To: ccie security > Subject: Re: [OSL | CCIE_Security] aggressive mode with hostname IKE ID > > Hi Eugene, > > Sorry, again, as other times I have put myself ahead of everything. When you > configure your crypto map to apply in your interface you have to put the "set > peer" command with the ip address, unless you have a DNS server configured > for it to resolve the hostname. > > So again, there are 2 different sessions here, first you configure the > "crypto isakmp key [key] host [hostname], the other section is you > configuring your crypto map: > > crypto map l2l 10 ipsec-isakp > set transform [transform-set] > match address [acl] > set peer [peer ip address] --->>> here you can only put a > hostname if you have a dns configured, this is how the initiator and > responder matches the ip address with the hostname. > > Again, unless I am wrong this is how you configured your VPN, if you did put > a hostname instead of the ip address then you have a dns server configured on > your router. > > Hopefully this solves your question. > > BR, > Bruno Silva. > > Em 18/06/2012, ?s 22:04, Eugene Pefti escreveu: > > > > Hi Bruno, > Haven't we seen the debugs where the initiator sends its hostname as an ID > not the IP address? The main question is how the responder knows the IP > address of the initiator. > > Eugene > > From: > [email protected]<mailto:[email protected]> > [mailto:[email protected]] On Behalf Of Bruno Silva > Sent: Sunday, June 17, 2012 11:38 PM > To: ccie security > Subject: Re: [OSL | CCIE_Security] aggressive mode with hostname IKE ID > > Hi, > > When u have aggressive mode u exchange messages with the ids in cleartext > while performing dh, i believe that's the main reason why you don't have to > have a dns server configured in order to make it work. > > If it was main mode it would not work because when the isakmp responder > receives a main mode proposal from initiator it would require knowing the psk > in advance but in this case the responder do not know the id of the initiator > yet so it has to select the ip address of the initiator as the id, in this > case even if u have configured the hostname as the id it would use the ip > address for the tunnel names, that is not the case with aggressive mode > because the responder knows the id either if it's the hostname or the ip > address. > > Br, > Bruno silva > > Enviado via iPhone > > Em 15/06/2012, ?s 14:54, Imre Oszkar > <[email protected]<mailto:[email protected]>> escreveu: > I don't have anything else on the routers..interface config and routing, it's > a clean setup just to play with the aggressive mode. > Even if I had a wildcard preshared key, hostname is used as the IKE > identity so should not match on an address based wildcard. > At least this is what I would expect. > > > > On Fri, Jun 15, 2012 at 1:06 AM, Eugene Pefti > <[email protected]<mailto:[email protected]>> wrote: > Doesn't make sense to me either. > It's like you mentioned DNS or "ip host" entry that resolves hostname to IP. > Any leftovers "crypto isakmp peer hostname" by any chance ? Or a wild card > 0.0.0.0 pre-shared key ? > What happens if you remove the part for aggressive mode ? Does R1 > authenticate R7 ? > I remember there was a trick in one of the labs and even an error in the > solution guide but in your case it is kind of academic. > > From: Imre Oszkar <[email protected]<mailto:[email protected]>> > Date: Thursday, June 14, 2012 2:57 PM > To: ccie security > <[email protected]<mailto:[email protected]>> > Subject: [OSL | CCIE_Security] aggressive mode with hostname IKE ID > > crypto isakmp peer address > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com<http://www.ipexpert.com> > > Are you a CCNP or CCIE and looking for a job? Check > outwww.PlatinumPlacement.com<http://www.PlatinumPlacement.com> > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: </archives/ccie_security/attachments/20120619/06e27ff7/attachment.html> > > End of CCIE_Security Digest, Vol 72, Issue 84 > ********************************************* > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
