Routing and Authentication on ASA
STEP 1 : Configure Basic router Interface
STEP 2 : Configure RIP Routing on Router and ASA
DMZ(config)#router rip
DMZ(config-router)#version 2
DMZ(config-router)#no auto-summary
DMZ(config-router)#network 192.168.1.0
DMZ(config-router)#net 3.3.3.3
​
​
ON ASA
​
ASA1(config)# router rip
ASA1(config-router)# version 2
ASA1(config-router)# no auto-summary
ASA1(config-router)# network 192.168.1.0
Verification
​
ASA1# sh route rip
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 192.1.20.2 to network 0.0.0.0
R 3.3.3.3 255.255.255.255 [120/1] via 192.168.1.3, 00:00:04, DMZ
​
​
Authentication
---------------------
​
Router DMZ
​
key chain ABC
key 1
key-string cisco123
interface fa 0/0
ip rip authentication mode md5
ip rip authentication key-chain ABC
​
ASA
​
interface gi 0/0
rip authentication mode md5
rip authentication key cisco123 key_id 1
​
​
​
DMZ(config)#key chain ABC
DMZ(config-keychain)#key 1
DMZ(config-keychain-key)#key-string cisco123
DMZ(config-keychain-key)#interface fa 0/0
DMZ(config-if)#ip rip authentication mode md5
DMZ(config-if)#ip rip authentication key-chain ABC
​
​
​
​
ASA1(config-if)# sh route rip
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 192.1.20.2 to network 0.0.0.0
R 3.3.3.3 255.255.255.255 is possibly down,
routing via 192.168
​
​
ASA1(config-if)# interface gi 0/2
ASA1(config-if)# rip authentication mode md5
ASA1(config-if)# rip authentication key cisco123 key_id 1
​
​
​
​
STEP 2.2 : Configure Routing (OSPF) on Router
STEP 2.3 : Configure Routing (OSPF) on ASA
STEP 2.4 : Verify about the routes being learned
STEP 2.5 : Configure authentication and then Test
OUTSIDE(config-if)#router ospf 1
OUTSIDE(config-router)#router-id 2.2.2.2
OUTSIDE(config-router)#network 192.1.20.2 0.0.0.255 area 0
OUTSIDE(config-router)#network 2.2.2.2 0.0.0.0 area 0
​
​
ON ASA
​
ASA1(config)# router ospf 1
ASA1(config-router)# router-id 10.10.10.10
ASA1(config-router)# network 192.1.20.0 255.255.255.0 area 0
Verification
​
​
ASA1# show route ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 192.1.20.2 to network 0.0.0.0
O 2.2.2.2 255.255.255.255 [110/11] via 192.1.20.1, 00:00:54, outside
​
​
Authentication
---------------------
​
Router OUTSIDE
​
interface fa 0/0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco123
​
Authentication
-------------------
ASA
​
interface gi 0/2
authentication mode eigrp 100 md5
authentication key eigrp 100 cisco123 key-id 1
​
​
Let's configure and Verify!!!!!
​
OUTSIDE(config)#interface fa 0/0
OUTSIDE(config-if)#ip ospf authentication message-digest
OUTSIDE(config-if)#ip ospf message-digest-key 1 md5 cisco123
OUTSIDE(config-if)#do sh ip ospf nei
Neighbor ID Pri State Dead Time Address Interface
10.10.10.10 1 FULL/DR 00:00:13 192.1.20.10 FastEthernet0/0
*Mar 1 01:43:51.995: %OSPF-5-ADJCHG: Process 1, Nbr 10.10.10.10 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Dead timer expired
​
​
​
​
ASA1(config-if)# int gi 0/1
ASA1(config-if)# ospf authentication message-digest
ASA1(config-if)# ospf message-digest-key 1 md5 cisco123
​
​
*Mar 1 01:48:02.707: %OSPF-5-ADJCHG: Process 1, Nbr 10.10.10.10 on FastEthernet0/0 from LOADING to FULL, Loading Done
OUTSIDE(config-if)#do sh ip ospf nei
Neighbor ID Pri State Dead Time Address Interface
10.10.10.10 1 FULL/DR 00:00:31 192.1.20.10 FastEthernet0/0
​
​
STEP 2.6 : Configure Routing (EIGRP) on Router
STEP 2.7 : Configure Routing (EIGRP) on ASA
STEP 2.8 : Verify Routing (EIGRP) on ASA
STEP 2.9 : Configure authentication and Test
Inside(config)#router eigrp 100
Inside(config-router)#no auto-summary
Inside(config-router)#network 10.11.11.0 255.255.255.0
Inside(config-router)#net 1.1.1.1
​
​
ON ASA
​
ASA1(config)# router eigrp 100
ASA1(config-router)# no auto-summary
ASA1(config-router)# network 10.11.11.0 255.255.255.0
Verification
​
​
ASA1# sh route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 192.1.20.2 to network 0.0.0.0
D 1.1.1.1 255.255.255.255 [90/130816] via 10.11.11.1, 00:00:24, inside
​
​
Authentication
---------------------
​
Router INSIDE
​
key chain ABC
key 1
key-string cisco123
int fa 0/0
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 ABC
​
​
ASA
​
int gi 0/1
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco123
​
​
​
LETS CONFIGURE AND VERIFY THEN !!!!!!
​
​
​
​
Inside(config)#key ?
chain Key-chain management
config-key Set a private configuration key for general use
​
Inside(config)#key chain ?
WORD Key-chain name
​
Inside(config)#key chain ABC
Inside(config-keychain)#?
Key-chain configuration commands:
default Set a command to its defaults
exit Exit from key-chain configuration mode
key Configure a key
no Negate a command or set its defaults
​
Inside(config-keychain)#key ?
<0-2147483647> Key identifier
​
Inside(config-keychain)#key 1 ?
<cr>
​
Inside(config-keychain)#key 1
Inside(config-keychain-key)#?
Key-chain key configuration commands:
accept-lifetime Set accept lifetime of key
default Set a command to its defaults
exit Exit from key-chain key configuration mode
key-string Set key string
no Negate a command or set its defaults
send-lifetime Set send lifetime of key
​
Inside(config-keychain-key)#key-string ?
0 Specifies an UNENCRYPTED password will follow
7 Specifies a HIDDEN password will follow
LINE The UNENCRYPTED (cleartext) user password
​
Inside(config-keychain-key)#key-string cisco123
​
Inside(config)#int fa 0/0
Inside(config-if)# ip authentication mode eigrp 100 md5
*Mar 1 00:20:23.587: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 10.11.11.10 (FastEthernet0/0) is down: authentication mode changed
Inside(config-if)#ip authentication key-chain eigrp 100 ABC
​
Notice the neighborship comes down quickly.
​
​
ASA1(config)# interface gi 0/2
ASA1(config-if)# authentication mode eigrp 100 md5
ASA1(config-if)# authentication key eigrp 100 cisco123 key-id 1
​
What going on @ INSIDE ROUTER
​
Inside(config-if)#
*Mar 1 00:22:10.463: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 10.11.11.10 (FastEthernet0/0) is up: new adjacency
​
​
Redistribution between routing protocols on ASA
Redistribution
--------------
ASA
​
router rip
redistribute ospf 1 metric 1
redistribute eigrp 100 metric
router ospf 1
redistribute rip metric 30 subnets
redistribute eigrp 100 metric 30 subnets
​
​
​