The scenario of configuring site-to-site VPN between two Cisco Adaptive Security Appliances is often used by companies that have more than one geographical location sharing the same resources, documents, servers, etc. The Cisco ASA is often used as VPN terminator, supporting a variety of VPN types and protocols.

In this tutorial, we are going to configure a site-to-site VPN using IKEv2. IKEv2 is the new standard for configuring IPSEC VPNs. Although the legacy IKEv1 is widely used in real world networks, it’s good to know how to configure IKEv2 as well since this is usually required in high-security VPN networks (for compliance purposes).

As described in the topology scenario below, a VPN tunnel will be created between ASA1 and ASA2, connecting the two company sites, HQ and Branch1. Behind each security appliance there is a private LAN network. After configuring the VPN tunnel, the private LAN networks in HQ and Branch1 (two geographically dispersed locations) will be able to communicate over the internet and share resources.

We will refer to the diagram below for this configuration tutorial.

We will start by configuring IP addressing. On ASA1 and ASA2, we will configure the inside interfaces as connected to LAN and the outside interfaces facing the VPN tunnel. In real world networks, the outside interfaces will be on a different subnet and use public IP addressing. Here we will use 10.10.10.0/24 for the outside network just for making things easier.

ASA1

ASA1(config)# interface GigabitEthernet0
ASA1(config-if)# nameif inside
INFO: Security level for “inside” set to 100 by default.
ASA1(config-if)# ip address 192.168.1.2 255.255.255.0
ASA1(config-if)# no shutdown

ASA1(config-if)# interface GigabitEthernet1
ASA1(config-if)# nameif outside
INFO: Security level for “outside” set to 0 by default.
ASA1(config-if)# ip address 10.10.10.1 255.255.255.0
ASA1(config-if)# no shutdown

ASA1# show interfaces ip brief

Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0           192.168.1.2     YES manual up                    up
GigabitEthernet1           10.10.10.1      YES manual up                    up

ASA2

ASA2(config)# interface GigabitEthernet0
ASA2(config-if)# nameif inside
INFO: Security level for “inside” set to 100 by default.
ASA2(config-if)# ip address 192.168.2.2 255.255.255.0
ASA2(config-if)# no shutdown

ASA2(config-if)# interface GigabitEthernet1
ASA2(config-if)# nameif outside
INFO: Security level for “outside” set to 0 by default.
ASA2(config-if)# ip address 10.10.10.2 255.255.255.0
ASA2(config-if)# no shutdown

ASA2# show interfaces ip brief

Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0           192.168.2.2     YES manual up                    up
GigabitEthernet1           10.10.10.2      YES manual up                    up

Next, we will configure the ISAKMP policies with IKEv2. We will first use the crypto ikev2 policy command to enter IKEv2 policy configuration mode, where we will configure the IKEv2 parameters.

In this scenario, we used 3DES encryption with Diffie-Hellman group 2, hash function SHA-1 and an encryption key lifetime of 43200 seconds (12 hours).

ASA1

ASA1(config)# crypto ikev2 policy 1
ASA1(config-ikev2-policy)# group 2
ASA1(config-ikev2-policy)# encryption 3des
ASA1(config-ikev2-policy)# prf sha
ASA1(config-ikev2-policy)# lifetime seconds 43200

Finally, after the parameters have been set, we will enable IKEv2 on the outside interface

ASA1(config-ikev2-policy)# crypto ikev2 enable outside

ASA2

ASA2(config)# crypto ikev2 policy 1
ASA2(config-ikev2-policy)# group 2
ASA2(config-ikev2-policy)# encryption 3des
ASA2(config-ikev2-policy)# prf sha
ASA2(config-ikev2-policy)# lifetime seconds 43200
ASA2(config-ikev2-policy)# crypto ikev2 enable outside

Next, we will configure IKEv2 proposal. As opposed to IKEv1, where we configured a transform set that combines the encryption and authentication method, with IKEv2 we can configure multiple encryption and authentication types, and multiple integrity algorithms for a single policy.

For this scenario, we will first enter ipsec proposal configuration mode and there set the parameters.

ASA1

ASA1(config)#crypto ipsec ikev2 ipsec-proposal P1
ASA1(config-ipsec-proposal)#protocol esp encryption 3des aes des
ASA1(config-ipsec-proposal)#protocol esp integrity sha-1

ASA2

The same configuration is applied to ASA2.

ASA2(config)# crypto ipsec ikev2 ipsec-proposal P1
ASA2(config-ipsec-proposal)# protocol esp encryption 3des aes des
ASA2(config-ipsec-proposal)# protocol esp integrity sha-1

Next we need to identify the VPN interesting traffic with an access list.

ASA1(config)# access-list ACL1 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

The mirror ACL should be configured on ASA2.

ASA2(config)# access-list ACL2 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

The next step is to define a tunnel group. There are two default tunnel groups in the ASA: DefaultRAGroup is the default IPsec remote-access tunnel group and DefaultL2Lgroup is the default IPsec LAN-to-LAN tunnel group.

To establish a LAN-to-LAN connection, two attributes must be set:

-  Connection type – IPsec LAN-to-LAN.

-  Authentication method for the IP – in this scenario we will use preshared key for IKEv2.

The name of the tunnel is the IP address of the peer. IKEv2 preshared key is configured as 32fjsk0392fg.

NOTE: For ikev2 you can have asymmetric pre-shared keys. You can configure a different local and different remote pre-shared key. If you want to have a configuration similar with the legacy ikev1 technology, you need to have the same local and remote pre-shared keys (as we do in our example below)

ASA1

ASA1(config)# tunnel-group 10.10.10.2 type ipsec-l2l
ASA1(config)# tunnel-group 10.10.10.2 ipsec-attributes
ASA1(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key 32fjsk0392fg
ASA1(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key 32fjsk0392fg

ASA2

ASA2(config)# tunnel-group 10.10.10.1 type ipsec-l2l
ASA2(config)# tunnel-group 10.10.10.1 ipsec-attributes
ASA2(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key 32fjsk0392fg
ASA2(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key 32fjsk0392fg

Finally, we will create a crypto map linking the access list, the peer and the IKEv2 proposal. We will apply this crypto map to the ASA outside interface.

ASA1

ASA1(config)# crypto map cmap 1 match address ACL1
ASA1(config)# crypto map cmap 1 set peer 10.10.10.2
ASA1(config)# crypto map cmap 1 set ikev2 ipsec-proposal P1
ASA1(config)# crypto map cmap interface outside

ASA2

Similar configuration will be applied to ASA2:

ASA2(config)# crypto map cmap 1 match address ACL2
ASA2(config)# crypto map cmap 1 set peer 10.10.10.1
ASA2(config)# crypto map cmap 1 set ikev2 ipsec-proposal P1
ASA2(config)# crypto map cmap interface outside

The Cisco Adaptive Security Appliance is an integrated security equipment that can perform a variety of functions like firewall, intrusion prevention, VPN, content security, unified communications, and remote access. Among these functions, the ASA can also perform routing using popular routing protocol like Routing Information Protocol (RIP), Enhanced Interior Gateway Routing Protocol (EIGRP), Open Shortest Path First (OSPF)  or static routes.

In this tutorial, we are going to focus on configuring EIGRP. We will take the steps on how to configure the Adaptive Security Appliance to perform routing functions, exchange routing updates and redistribute a static route.

In our example scenario, we will refer to the diagram below.

In this particular scenario, the routers R1 and R2 and the ASA all participate in the EIGRP process. R1 is in the internal network and R2 in the DMZ. A static default route to the Internet outside interface of ASA will be configured and redistributed into the EIGRP process.

We will start by configuring IP addressing and EIGRP on the two routers R1 and R2.

Router R1 Configuration:

R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#interface FastEthernet0/0
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit

R1(config)#interface FastEthernet1/0
R1(config-if)#ip address 10.0.0.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit

R1(config)#router eigrp 10
R1(config-router)#network 10.0.0.0 0.0.0.255
R1(config-router)#network 192.168.1.0 0.0.0.255
R1(config-router)#no auto-summary
R1(config-router)#end

Router R2 Configuration:

R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#interface FastEthernet0/0
R2(config-if)#ip address 192.168.2.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit

R2(config)#interface FastEthernet1/0
R2(config-if)#ip address 10.1.1.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit

R2(config)#router eigrp 10
R2(config-router)# network 10.1.1.0 0.0.0.255
R2(config-router)#network 192.168.2.0 0.0.0.255
R2(config-router)#no auto-summary
R2(config-router)#end

Now, we will configure the ASA, this being the core of our tutorial here. The ASA will be separating the three zones in the network: Inside network, DMZ and Outside network. This appliance is designed primarily to work at the boundary between internal and external networks. Accordingly, the ASA uses different security levels that are associated with each interface. The security level is a number that varies between 0 and 100. This value signifies the level of trust for the network that the interface is connected to.

For the interface that will be configured inside, it will be assigned a default maximum trust level of 100 and for the outside interface the default value is 0, minimum trust. We can change that level any time, but for the scope of this tutorial we will leave the default values. Also, we will configure an additional interface “DMZ”, assigning a security level of 50.

Cisco ASA Configuration:

ASA1# configure terminal
ASA1(config)# interface GigabitEthernet0
ASA1(config-if)# description outside interface connected to Internet
ASA1(config-if)# nameif outside
ASA1(config-if)# security-level 0
ASA1(config-if)# ip address 50.50.50.1 255.255.255.0
ASA1(config-if)# exit

ASA1(config)# interface GigabitEthernet1
ASA1(config-if)# description Inside interface connected to R1
ASA1(config-if)# nameif inside
ASA1(config-if)# security-level 100
ASA1(config-if)# ip address 192.168.1.2 255.255.255.0
ASA1(config-if)# exit

ASA1(config)# interface GigabitEthernet2
ASA1(config-if)# description DMZ interface connected to R2
ASA1(config-if)# nameif dmz
ASA1(config-if)# security-level 50
ASA1(config-if)# ip address 192.168.2.2 255.255.255.0
ASA1(config-if)# exit

The outside interface of ASA1 will be connected to the internet and for the scope of this lab we will use it just to have a default route and we will assign IP address 50.50.50.1 with default gateway next hop 50.50.50.2. This default route will be redistributed from ASA1 to the rest of the EIGRP domain.

Next, we will configure EIGRP on ASA1, add a default static route and redistribute it into the EIGRP process.

ASA1(config)# router eigrp 10
ASA1(config-router)# network 192.168.1.0 255.255.255.0
ASA1(config-router)# network 192.168.2.0 255.255.255.0
ASA1(config-router)# no auto-summary
ASA1(config-router)# redistribute static
ASA1(config-router)#end

ASA1# route outside 0.0.0.0 0.0.0.0 50.50.50.2

Once the EIGRP is configured we can now verify that it has established neighbor relationships with the peers and that it redistributed the default static route:

Verification Commands:

ASA1# show eigrp neighbors

EIGRP-IPv4 neighbors for process 10
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq (sec) (ms) Cnt Num

1   192.168.2.1             Gi2              13  00:16:28 27   200   0   3
0   192.168.1.1             Gi1              11  00:16:28 13   200   0   5

ASA1# show eigrp topology

EIGRP-IPv4 Topology Table for AS(10)/ID(192.168.2.2)
Codes: P – Passive, A – Active, U – Update, Q – Query, R – Reply,
r – reply Status, s – sia Status
P 0.0.0.0 0.0.0.0, 1 successors, FD is 28160
via Rstatic (28160/0)
P 10.0.0.0 255.255.255.0, 1 successors, FD is 30720
via 192.168.1.1 (30720/28160), GigabitEthernet1
P 10.1.1.0 255.255.255.0, 1 successors, FD is 30720
via 192.168.2.1 (30720/28160), GigabitEthernet2
P 192.168.1.0 255.255.255.0, 1 successors, FD is 28160
via Connected, GigabitEthernet1
P 192.168.2.0 255.255.255.0, 1 successors, FD is 28160
via Connected, GigabitEthernet2

ASA1# show eigrp interfaces

EIGRP-IPv4 interfaces for process 10
Xmit Queue   Mean   Pacing Time   Multicast    Pending
Interface        Peers  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes
inside             1        0/0        13       0/1          105           0
dmz                1        0/0        27       0/1           89           0

ASA1# show route

Codes: C – connected, S – static, I – IGRP, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2, E – EGP
i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, ia – IS-IS inter area
* – candidate default, U – per-user static route, o – ODR
P – periodic downloaded static route

Gateway of last resort is 50.50.50.2 to network 0.0.0.0
C    50.50.50.0 255.255.255.0 is directly connected, outside
D    10.0.0.0 255.255.255.0 [90/30720] via 192.168.1.1, 0:19:52, inside
D    10.1.1.0 255.255.255.0 [90/30720] via 192.168.2.1, 0:19:53, dmz
C    192.168.1.0 255.255.255.0 is directly connected, inside
C    192.168.2.0 255.255.255.0 is directly connected, dmz
S*   0.0.0.0 0.0.0.0 [1/0] via 50.50.50.2, outside

Let’s also verify the routing updates received by the routers. They should see the other networks attached to ASA1 and the injected static default route:

R1#show ip route

Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is 192.168.1.2 to network 0.0.0.0

10.0.0.0/24 is subnetted, 2 subnets
D       10.1.1.0 [90/33280] via 192.168.1.2, 00:20:44, FastEthernet0/0
C       10.0.0.0 is directly connected, FastEthernet1/0
C    192.168.1.0/24 is directly connected, FastEthernet0/0
D    192.168.2.0/24 [90/30720] via 192.168.1.2, 00:20:45, FastEthernet0/0
D*EX 0.0.0.0/0 [170/30720] via 192.168.1.2, 00:20:45, FastEthernet0/0

R2#show ip route

Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is 192.168.2.2 to network 0.0.0.0

10.0.0.0/24 is subnetted, 2 subnets
C       10.1.1.0 is directly connected, FastEthernet1/0
D       10.0.0.0 [90/33280] via 192.168.2.2, 00:22:21, FastEthernet0/0
D    192.168.1.0/24 [90/30720] via 192.168.2.2, 00:22:21, FastEthernet0/0
C    192.168.2.0/24 is directly connected, FastEthernet0/0
D*EX 0.0.0.0/0 [170/30720] via 192.168.2.2, 00:22:21, FastEthernet0/0

We now have in place the three networks separated by ASA1, with different security levels assigned, that exchange routing information. The ASA will perform stateful inspection by default , so access lists must be configured in order to have connectivity between the various security zones.

The ASA 5505 is the only model that has an 8-port switch embedded in the device. All interfaces of the ASA5505 are Layer2 switch ports and thus they support some features that you can find on Cisco switches. One of these features is called “Private Vlan”.

The concept of “Private VLAN” is very useful in DMZ environments. Here is how it can be used: Let’s say you have a firewall with an Outside interface connected to Internet, an Inside interface connected to the secure LAN, and a DMZ Interface connected to a subnet which is hosting several publicly accessible servers (e.g Web Server, Email server etc). The DMZ servers are all on the same network subnet. Thus, if one of the DMZ servers gets compromised, then the attacker can easily use this hacked server as a “stepping-stone” to access the other servers in the DMZ.

The above situation can be mitigated by using “Private VLANs”. Although the DMZ Layer2 VLAN number and Layer3 subnet will be the same for all servers, by designating each switch port of the DMZ as “Private VLAN” then the servers in the DMZ will not be allowed to communicate with each other.

Let’s see a diagram below to explain this concept.

Let’s say we have an ASA5505 with three security Zones:

• Outside Zone: Interface E0/0 in VLAN 10
• Inside Zone: Interface E0/1 in VLAN 20
• DMZ Zone: Interfaces E0/2, E0/3 in VLAN 30

Notice that in DMZ we have 2 publicly accessible servers (Web and Email Server) that they both belong in the same Layer2 vlan (VLAN30) and the same Layer3 network subnet (10.0.0.0/24).

If we don’t configure “Private Vlans”, then if the Web or Email server gets hacked, the attacker can access the other DMZ server as well. With Private VLANs, the Web and Email Servers can NOT communicate with each other although they are on the same Vlan and subnet. However, all other zones (outside and inside) are able to access the DMZ zone (and vice-versa) with no problems.

Configuration:

We are not going to see the complete config here, just the part that has to do with Private Vlan setup.

ASA5505(config)# interface ethernet 0/0
ASA5505(config-if)# switchport access vlan 10
ASA5505(config-if)# no shutdown

ASA5505(config-if)# interface ethernet 0/1
ASA5505(config-if)# switchport access vlan 20
ASA5505(config-if)# no shutdown

ASA5505(config-if)# interface ethernet 0/2
ASA5505(config-if)# switchport access vlan 30
ASA5505(config-if)# no shutdown
ASA5505(config-if)# switchport protected

ASA5505(config-if)# interface ethernet 0/3
ASA5505(config-if)# switchport access vlan 30
ASA5505(config-if)# no shutdown
ASA5505(config-if)# switchport protected

The command “switchport protected“ configures the specific physical ports as “Private VLANs”. All ports that are configured as Private Vlans can not communicate with each other.

There are several configuration features on Cisco ASA that require some sort of password or secret-key that you need to enter. Some examples include:

• VPN pre-shared keys (either for site-to-site IPSEC VPN or for Remote Access).
• AAA server secret key when communicating with a RADIUS server.
• Routing Protocols keys (for OSPF, EIGRP).
• Secret key for failover communication.
• Password to communicate with a Log Server.
• VPN Load Balancing key
• Etc

All the above might be hidden when you view the running configuration (by executing “show run”) however they are NOT encrypted inside the configuration file. For example, if you copy the configuration to an external TFTP Server, all the above passwords and secret-keys will be shown as clear text in the configuration file.

Moreover, when you execute the command “more system:running-config” you will also be able to view the running configuration with all passwords as plain text.

If you want to store all the above passwords in encrypted format in the configuration file, you can use the “Master Passphrase” feature. The master passphrase provides a key that is used to universally encrypt or mask all passwords, without changing their functionality. This feature is available from version 8.3(1) and above.

Configuration

1) Create the Master Passphrase. This must be between 8-128 characters. Do not use backspace or double quote.

ASA(config)# key config-key password-encryption
New key: verystrongkey
Confirm key: verystrongkey

The above creates the Master Passphrase. Next we need to enable AES password encryption for all passwords:

2) Enable Password Encryption and save the configuration

ASA(config)# password encryption aes
ASA(config)# write mem

NOTEs:

• If you want to remove the master passphrase use “no key config-key password-encryption [current passphrase]”
• If you have lost the master passphrase, you must erase the configuration and reboot the ASA: “write erase” and then “reload”.

Cisco Adaptive Security Appliance (ASA) is quite a versatile device integrating application-aware firewall, SSL and IPsec VPN, intrusion prevention system (IPS), antivirus, antispam, antiphishing, and web filtering services. Cisco ASA also supports routing protocols such as Routing Information Protocol (RIP), Enhanced Interior Gateway Routing Protocol (EIGRP), and last but not least, Open Shortest Path First (OSPF). In this tutorial, our focus will be OSPF configuration on Cisco ASA according to the figure below.

Figure 1 OSPF on Cisco ASA

Please note that configuration on R1 is not relevant to this scenario and R1 is just shown for the sake of completeness. We will start by configuring OSPF on routers R2 and R3. We would also configure MD5 authentication for OSPF on Fa0/0 of R2 and R3, using cisco as the authentication key.

Here’s the configuration for R2:

R2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#interface FastEthernet0/0
R2(config-if)#ip address 202.49.12.2 255.255.255.0
R2(config-if)#ip ospf authentication message-digest
R2(config-if)#ip ospf message-digest-key 1 md5 cisco
R2(config-if)#exit

R2(config)#interface Loopback0
R2(config-if)#ip address 10.10.2.2 255.255.255.0
R2(config-if)#exit

R2(config)#router ospf 1
R2(config-router)#network 202.49.12.0 0.0.0.255 area 0
R2(config-router)#network 10.10.2.0 0.0.0.255 area 0
R2(config-router)#end

Here goes the configuration for R3:

R3#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#interface FastEthernet0/0
R3(config-if)#ip address 202.49.13.3 255.255.255.0
R3(config-if)#ip ospf authentication message-digest
R3(config-if)#ip ospf message-digest-key 1 md5 cisco
R3(config-if)#exit

R3(config)#interface Loopback0
R3(config-if)#ip address 10.10.3.3 255.255.255.0
R3(config-if)#exit

R3(config)#router ospf 1
R3(config-router)#network 202.49.13.0 0.0.0.255 area 1
R3(config-router)#network 10.10.3.0 0.0.0.255 area 1
R3(config-router)#end

Let’s now move to the interesting part where we configure Cisco ASA. We will first configure interface IP addresses, at the same time assigning Ethernet0/0, Ethernet0/1, and Ethernet 0/2 to outside, inside, and DMZ (de-militarized zone) zones, respectively. Inside and outside interfaces are assigned default security levels of 100 and 0 automatically. The higher the security level, the more secure an interface is. Therefore, the most secured network is placed behind an interface with a security level of 100, whereas the least secured network is placed behind an interface with a security level of 0. A DMZ interface can be assigned a security level between 0 and 100.

We assign a security level of 50 to the DMZ interface using the security-level command. We also configure MD5 authentication for OSPF on the outside and DMZ interfaces choosing cisco as the authentication key. Toward the end of configuration given below, both outside and DMZ interfaces are assigned to the appropriate OSPF area using network command.

ASA1# configure terminal
ASA1(config)# interface Ethernet0/0
ASA1(config-if)# ip address 202.49.12.1 255.255.255.0
ASA1(config-if)# nameif outside
INFO: Security level for “outside” set to 0 by default.
ASA1(config-if)# ospf authentication message-digest
ASA1(config-if)# ospf message-digest-key 1 md5 cisco
ASA1(config-if)# exit

ASA1(config)# interface Ethernet0/1
ASA1(config-if)# ip address 192.168.1.1 255.255.255.0
ASA1(config-if)# nameif inside
INFO: Security level for “inside” set to 100 by default.
ASA1(config-if)# exit

ASA1(config)# interface Ethernet0/2
ASA1(config-if)# ip address 202.49.13.1 255.255.255.0
ASA1(config-if)# nameif DMZ
ASA1(config-if)# security-level 50
ASA1(config-if)# ospf authentication message-digest
ASA1(config-if)# ospf message-digest-key 1 md5 cisco
ASA1(config-if)# exit

ASA1(config)# router ospf 1
ASA1(config-router)# network 202.49.12.0 255.255.255.0 area 0
ASA1(config-router)# network 202.49.13.0 255.255.255.0 area 1
ASA1(config-router)#end
ASA1#

Let’s now verify that ASA1 has indeed established OSPF adjacency with R2 and R3 using show ospf neighbor command.

ASA1# show ospf neighbor

Neighbor ID    Pri   State        Dead Time   Address         Interface

10.10.2.2        1   FULL/DR      0:00:32     202.49.12.2     outside
10.10.3.3        1   FULL/BDR     0:00:38     202.49.13.3     DMZ

The above output indicates that OSPF neighbor relationships have been succesfully established with both R2 and R3. You can use show ospf interface command to find out more details such as OSPF neighbor authentication status.

ASA1# show ospf interface

outside is up, line protocol is up
Internet Address 202.49.12.1 mask 255.255.255.0, Area 0
Process ID 1, Router ID 202.49.13.1, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 10.10.2.2, Interface address 202.49.12.2
Backup Designated router (ID) 202.49.13.1, Interface address 202.49.12.1
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 0:00:00
Index 1/1, flood queue length 0
Next 0×0(0)/0×0(0)
Last flood scan length is 2, maximum is 2
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 10.10.2.2  (Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1

You can also use show ip ospf interface brief and show ip ospf neighbor commands on R2 and/or R3. We are showing the output of these two commands for R2 here.

R2#show ip ospf neighbor

Neighbor ID  Pri  State     Dead Time   Address         Interface
202.49.13.1  1    FULL/BDR  00:00:30    202.49.12.1     FastEthernet0/0

R2#show ip ospf interface brief

Interface    PID   Area            IP Address/Mask    Cost  State Nbrs F/C

Lo0          1     0               10.10.2.2/24       1     LOOP  0/0
Fa0/0        1     0               202.49.12.2/24     1     DR    1/1

We can expect that R2, R3, and ASA1 may also have learned some OSPF routes by now. Let’s verify that by using show ip route command on R2 first.

R2#show ip route

<Some output omitted for brevity>

Gateway of last resort is not set

C    202.49.12.0/24 is directly connected, FastEthernet0/0
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
O IA   10.10.3.3/32 [110/12] via 202.49.12.1, 02:01:57, FastEthernet0/0
C      10.10.2.0/24 is directly connected, Loopback0
O IA 202.49.13.0/24 [110/11] via 202.49.12.1, 02:02:01, FastEthernet0/0

Please feel free at this point to use show ip route command on R3 as well. We can use show route command on ASA1 to find out which routes it has learned over OSPF.

ASA1# show route

<Some output omitted for brevity>

Gateway of last resort is not set

C    202.49.12.0 255.255.255.0 is directly connected, outside
O    10.10.3.3 255.255.255.255 [110/11] via 202.49.13.3, 2:03:52, DMZ
O    10.10.2.2 255.255.255.255 [110/11] via 202.49.12.2, 2:11:30, outside
C    202.49.13.0 255.255.255.0 is directly connected, DMZ
C    192.168.1.0 255.255.255.0 is directly connected, inside

Though OSPF routing is looking good at this stage, we may not yet be able to ping from R2 to R3 or vice versa. On Cisco ASA, you do not need to define an ACL to permit traffic from a high security level interface to a low security level interface by default. However, an ACL must explicitly permit traffic from a low security level interface (such as outside with security level 0) to a high security level interface (such as DMZ with security level 50). Here is how we configure an ACL and apply it inbound to the outside interface to allow incoming traffic. Just for example purposes, we will allow icmp traffic from outside to IP 10.10.3.3 in DMZ.

access-list OUTSIDE-IN extended permit icmp any host 10.10.3.3
access-list OUTSIDE-IN extended permit icmp any any echo-reply
access-group OUTSIDE-IN in interface outside

Let’s try to ping from R2 to Loopback0 on R3 and vice versa, in order to seal the deal.

R2#ping 10.10.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/27/40 ms

R3#ping 10.10.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/24/44 ms