CCIE Security V4 Technology Labs  Section 5:

Perimeter Security and Services - ASA Firewalls


Advanced Routing
Last updated: May 10, 2013

Task
Redistribute RIP and EIGRP routes into OSPF.
Implement a reliable default route toward R2 in the firewall. Track R2’s Loopback0 reachability for
that.
Use R3 as the backup default gateway.
Originate the default route into RIPv2 and EIGRP.

Overview
The CCIE Security Lab exam will probably not require you to perform advanced routing protocols
tuning. However, every candidate should know some basic routing features. This task requires you
to redistribute between the routing protocols. That means you should inject other protocols' routing
information into another routing protocol. This allows full reachability between the routing domains
connected by the firewall.

The main command you need to know is the one entered within the routing protocol context:
redistribute source protocol metric seed metric. For example:

router rip
redistribute ospf 1 metric 1
redistribute static

Pay attention to the seed metric. This metric is needed almost all the time, unless you are
redistributing “connected” or “static” routes. It specifies the initial metric to be assigned to the
redistributed routes. The metric is in the units understood by the “target” routing protocol. Also, note
that using the redistribute connected is another way of advertising the locally connected
interfaces into a routing protocol.

Instead of redistributing routing information into a protocol, you may simply originate a default route
into the protocol. To do that with RIPv2 or OSPF, use the command
default-information originate. This command will always advertise a default route into
RIPv2; however, it will advertise the default route into OSPF if this route exists in the local routing
table. If you want the route to be always advertised into OSPF, use the command
default-information originate always. As for EIGRP, there is no special command to
originate a default route there. However, you may use the command redistribute static to
advertise the local static default route into EIGRP as well.

Another important routing feature is static reliable routing. It allows you to create a special “tracker”
that pings a destination and reports the reachability state. The tracker could be associated with the
static route, making the route active only when the tracker is “up.” This might be very helpful with
static routes, because you can track the actual reachability of the next hop. For example, you may
configure a primary route via a route, and track the next-hop reachability. If the tracker were to fail,
the secondary static route would preempt the primary one and the traffic would flow via the backup
path.

You configure a tracker in two steps:

1. Create a new SLA monitor operation (SLA = Service Level Agreement) that constantly
pings a destination and reports the reachability. You may tune the following two
parameters: timeout (the time to expire every probe, in ms) and frequency (how often to
send the probes). The more frequently you ping, the faster you will detect the loss of
connectivity. However, this might cause frequent flaps in the case of an unstable network.

2. Create a tracking object using the track command and attach it to a static route. The
tracking object will reference the SLA operation number, and the static route will reference
the tracking object number.

The backup static route should point to the same destination but have numerically higher distance,
signaling its lower preference. For example: route outside 0 0 IP Distance.

The default Distance value is 1, and it is assigned to the primary static route.

Configuration
ASA1:
 sla monitor 1
type echo protocol ipIcmpEcho 150.1.2.2 interface outside
timeout 1000
frequency 1
sla monitor schedule 1 life forever start-time now
!
track 1 rtr 1 reachability
!
route outside 0 0 136.1.0.2 track 1
route outside 0 0 136.1.0.3 100
!
router ospf 1
redistribute rip subnets
redistribute eigrp 1 subnets
!
router rip
default-information originate
!
router eigrp 1
redistribute static

Verification
First, make sure that R2 learns redistributed routes via OSPF. Notice that external OSPF routes
are marked as “O E2” or “O E1”.
 Rack1R2#show ip route ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is not set

10.0.0.0/24 is subnetted, 1 subnets

O E2 10.0.0.0 [110/20] via 136.1.0.12, 00:01:22, GigabitEthernet0/0
136.1.0.0/16 is variably subnetted, 4 subnets, 2 masks
O E2 136.1.121.0/24 [110/20] via 136.1.0.12, 00:01:22, GigabitEthernet0/0
O IA 136.1.124.0/24 [110/11] via 136.1.0.12, 2d17h, GigabitEthernet0/0
150.1.0.0/16 is variably subnetted, 5 subnets, 2 masks
O E2 150.1.1.0/24 [110/20] via 136.1.0.12, 00:01:22, GigabitEthernet0/0
Feb 25 18:09:09.146: %SYS-5-CONFIG_I: Configured from console by console
O 150.1.3.3/32 [110/2] via 136.1.0.3, 2d18h, GigabitEthernet0/0
O IA 150.1.4.4/32 [110/12] via 136.1.0.12, 2d17h, GigabitEthernet0/0
Rack1R2#

Test the reliable static default route. Check the tracking object state, and then check the next-hop
for the default route in the ASA routing table. If the object is up, the next-hop is R2.
 Rack1ASA1# show track
Track 1
Response Time Reporter 1 reachability
Reachability is Up
1 change, last change 00:02:11
Latest operation return code: OK
Latest RTT (millisecs) 1
Tracked by:
STATIC-IP-ROUTING 0
Rack1ASA1#

Rack1ASA1# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is 136.1.0.2 to network 0.0.0.0

C 136.1.0.0 255.255.255.0 is directly connected, outside

C 136.1.121.0 255.255.255.0 is directly connected, inside
C 136.1.124.0 255.255.255.0 is directly connected, dmz2
C 10.0.0.0 255.255.255.0 is directly connected, dmz1
R 150.1.1.0 255.255.255.0 [120/1] via 136.1.121.1, 0:00:25, inside
O 150.1.4.4 255.255.255.255 [110/11] via 136.1.124.4, 0:02:27, dmz2
O 150.1.3.3 255.255.255.255 [110/11] via 136.1.0.3, 0:02:27, outside
O 150.1.2.2 255.255.255.255 [110/11] via 136.1.0.2, 0:02:27, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 136.1.0.2, outside
Rack1ASA1#

Shut down R2’s Loopback0 interface, and see that the tracking object goes down. At the same
time, the default route in the ASA now points to R3.
 Rack1R2#
Rack1R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Rack1R2(config)#int loop 0
Rack1R2(config-if)#shutdown
Rack1R2(config-if)#

Rack1ASA1# show track

Track 1
Response Time Reporter 1 reachability
Reachability is Down
2 changes, last change 00:00:19
Latest operation return code: Timeout
Tracked by:
STATIC-IP-ROUTING 0
Rack1ASA1#

Rack1ASA1# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is 136.1.0.3 to network 0.0.0.0

C 136.1.0.0 255.255.255.0 is directly connected, outside

C 136.1.121.0 255.255.255.0 is directly connected, inside
C 136.1.124.0 255.255.255.0 is directly connected, dmz2
C 10.0.0.0 255.255.255.0 is directly connected, dmz1
R 150.1.1.0 255.255.255.0 [120/1] via 136.1.121.1, 0:00:00, inside
O 150.1.4.4 255.255.255.255 [110/11] via 136.1.124.4, 0:05:22, dmz2
O 150.1.3.3 255.255.255.255 [110/11] via 136.1.0.3, 0:00:39, outside
S* 0.0.0.0 0.0.0.0 [100/0] via 136.1.0.3, outside
Rack1ASA1#

Finally, check the routing table of R1 and SW1 to verify that they actually receive the default route
from the ASA firewall.
Rack1R1#show ip route rip
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is 136.1.121.12 to network 0.0.0.0

R* 0.0.0.0/0 [120/1] via 136.1.121.12, 00:00:26, GigabitEthernet0/0

10.0.0.0/24 is subnetted, 1 subnets
R 10.0.0.0 [120/1] via 136.1.121.12, 00:00:26, GigabitEthernet0/0
136.1.0.0/16 is variably subnetted, 4 subnets, 2 masks
R 136.1.0.0/24 [120/1] via 136.1.121.12, 00:00:26, GigabitEthernet0/0
R 136.1.124.0/24 [120/1] via 136.1.121.12, 00:00:26, GigabitEthernet0/0
Rack1R1#

Rack1SW1#show ip route eigrp

D*EX 0.0.0.0/0 [170/3072] via 136.1.124.12, 00:22:13, Vlan124
Rack1SW1#