As of version 9
asaken# sh version | i Soft
Cisco Adaptive Security Appliance Software Version 9.0(1)
asaken#
Cisco Adaptive Security Appliance Software Version 9.0(1)
asaken#
I'm going to strike out some comments I made eariler, since I had to go to the ASDM to figure out these features where present and slightly different than a cisco ISR for example. What I notice is the ASDM provides simple OSPFv3 configuration items per-interface or globally.
I've taken some screenshot of this process;
Okay so how do we enable ospf. Will it's quite easy and similar to the cisco ios routers.
1st we enable globally the ospfv3 process;
router-id 192.168.110.254
default-information originate always metric 1000
passive-interface default
no passive-interface inside
log-adjacency-changes
note: We need a operative l3 ipv4 interface and need to set a router-id
Next and just like with a cisco ios router, you need to craft the opsf instance on the interface;
interface Vlan1
nameif inside
security-level 100
ip address 192.168.110.1 255.255.255.0
ipv6 address 2002:100::1/64
ipv6 nd reachable-time 3000
ipv6 nd ns-interval 1200
ipv6 nd dad attempts 2
ospf cost 100
ipv6 ospf 10 area 0
Okay, so that was simple? Notice how I played with router default-origination and inject this default ipv6 route regardless if I had a default route to begin with?
Also the same types of ipv4 show commands applies for ipv6
show ipv6 ospf interface
show ipv6 ospf neighbor
show ipv6 ospf database
So I hope this post is useful with the basic ipv6 ospf routing and on a cisco ASA 9.x code
Ken Felix
Freelance Network/Security Engineer
kfelix " a@t" hyperfeed dot com
I want to make a correct, I re-review the release
ReplyDeletenotes and found OPSFv3 is supported in the ASA.
here's example of what I crafted
ipv6 ospf encryption ipsec spi 256 esp null md5 aabbccddeeffaabbccddeeffaabbccdd
And just like with the cisco ISR you can execute the show crypto ipsec sa command for details;
ReplyDeleteasaken# show crypto ipsec sa
interface: inside
Crypto map tag: OSPFv3-10-256, seq num: 0, local addr: ::
local ident (addr/mask/prot/port): (::/0/89/0)
remote ident (addr/mask/prot/port): (::/0/89/0)
current_peer: ::
#pkts encaps: 119, #pkts encrypt: 0, #pkts digest: 119
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 119, #pkts comp failed: 0, #pkts decomp failed: 0
#post-frag successes: 0, #post-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: ::/0, remote crypto endpt.: ::/0
path mtu 1500, ipsec overhead 66(48), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 00000100
current inbound spi : 00000100
inbound esp sas:
spi: 0x00000100 (256)
transform: esp-null esp-md5-hmac no compression
in use settings ={L2L, Transport, Manual key (OSPFv3), }
slot: 0, conn_id: 268025856, crypto-map: OSPFv3-10-256
sa timing: remaining key lifetime (sec): 0
IV size: 0 bytes
replay detection support: N
outbound esp sas:
spi: 0x00000100 (256)
transform: esp-null esp-md5-hmac no compression
in use settings ={L2L, Transport, Manual key (OSPFv3), }
slot: 0, conn_id: 268025856, crypto-map: OSPFv3-10-256
sa timing: remaining key lifetime (sec): 0
IV size: 0 bytes
replay detection support: N
This concludes my OSPFv3 support within a ASA firewall. Key things to remember;
ipv4 and ipv6 are still 2 uniqu process OPSFv3 is only used for IPV6
OSPFv3 is enable per-interface
you need at least one IPv4 addressed interface
OSPFv3 support both AH or ESP within the interface configuration.
I'm going to see how and if ESP is an option within our cisco ISRs for the OSPFv3 enabled interfaces. I never seen or recall this, but I have been wrong numerous times in the past :)
And just like with the cisco ISR you can execute the show crypto ipsec sa command for details;
ReplyDeleteasaken# show crypto ipsec sa
interface: inside
Crypto map tag: OSPFv3-10-256, seq num: 0, local addr: ::
local ident (addr/mask/prot/port): (::/0/89/0)
remote ident (addr/mask/prot/port): (::/0/89/0)
current_peer: ::
#pkts encaps: 119, #pkts encrypt: 0, #pkts digest: 119
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 119, #pkts comp failed: 0, #pkts decomp failed: 0
#post-frag successes: 0, #post-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: ::/0, remote crypto endpt.: ::/0
path mtu 1500, ipsec overhead 66(48), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 00000100
current inbound spi : 00000100
inbound esp sas:
spi: 0x00000100 (256)
transform: esp-null esp-md5-hmac no compression
in use settings ={L2L, Transport, Manual key (OSPFv3), }
slot: 0, conn_id: 268025856, crypto-map: OSPFv3-10-256
sa timing: remaining key lifetime (sec): 0
IV size: 0 bytes
replay detection support: N
outbound esp sas:
spi: 0x00000100 (256)
transform: esp-null esp-md5-hmac no compression
in use settings ={L2L, Transport, Manual key (OSPFv3), }
slot: 0, conn_id: 268025856, crypto-map: OSPFv3-10-256
sa timing: remaining key lifetime (sec): 0
IV size: 0 bytes
replay detection support: N
This concludes my OSPFv3 support within a ASA firewall. Key things to remember;
ipv4 and ipv6 are still 2 uniqu process OPSFv3 is only used for IPV6
OSPFv3 is enable per-interface
you need at least one IPv4 addressed interface
OSPFv3 support both AH or ESP within the interface configuration.
I'm going to see how and if ESP is an option within our cisco ISRs for the OSPFv3 enabled interfaces. I never seen or recall this, but I have been wrong numerous times in the past :)