Cisco ASA and RIP
RIP has been with ASA for years and in this article I will try to cover all possible scenarios in configuring, misconfiguring. debugging and verifying it. As I come up with new ideas how to break the RIP on ASA I will update this article as well.
As it would be expected ASA has a bit limited version of RIP daemon as compared with IOS one. Major tasks you my be required to do :
- Enable RIP on the ASA;
- Dictate the version to work with – RIP v1 or RIP v2;
- Specify networks RIP protocol will be active for;
- Exclude some interfaces from active advertising RIP on them but allow to get
RIP updates on them , i.e. passive interface(s);
- Decide whether you want auto-summarization or not. Default is on;
- Enable Rip updates authentication and whether it should be
encrypted (MD5 mode) or clear text (text mode);
- If using authentication define authentication keys under relevant interfaces;
- To make your life harder you will be asked to redistribute;
- Finally verify and debug RIP operation.
SO let’s get our hands dirty.
Enable RIP routing process.
ASA#conf t
ASA(config)# router rip
TokyoASA(config-router)#
Set it to run exclusively version 2 . ASA doesn’t know to mix version
2 and 1 as IOS does.
TokyoASA(config-router)# version 2
Networks to be active for . You should specify classful nets or even if you specify anything different after you enter such networks ASA will automatically turn them into classful ones anyway.
TokyoASA(config-router)# network 5.0.0.0
Verifying configuration so far:
TokyoASA(config-router)# sh run router
router rip
network 5.0.0.0
version 2
You will most probably want to disable summarization :
TokyoASA(config-router)# no auto-summary
Exclude some interface from advertising on it:
– To suppress on ALL interfaces in one go:
TokyoASA(config-router)# passive-interface default
– To be more specific:
TokyoASA(config-router)# passive-interface outside
Authentication is configured exclusively under the interface :
– Dictate which authentication mode to use.
TokyoASA(config-if)# rip authentication mode md5
– Specify the key (password) and its id.
TokyoASA(config-if)# rip authentication key MYKEY key_id 33
Here is how it looks in show run interface :
interface Ethernet0/0
nameif outside
security-level 0
ip address 136.6.12.12 255.255.255.0
rip authentication mode md5
rip authentication key <removed> key_id 33
Redistribute. Just redistributing learned in other ways networks into the RIP would be boring. As usual you redistribute connected, static, ospf and rip (when working with the rest of the protocols).
TokyoASA(config-router)# redistribute ?
router mode commands/options:
connected Connected
ospf Open Shortest Path First (OSPF)
rip Routing Information Protocol (RIP)
static Static routes
Much more interesting is to implement some policy while redistributing using route-maps. As expected route-maps here are not what we used to know in IOS.
So what can you match for me ?
TokyoASA(config-route-map)# match ?
route-map mode commands/options:
interface Match first hop interface of route
ip Match IP address or next-hop or route-source
metric Match metric of route
route-type Match route-type of route
The most familiar and useful match on ACL lies here:
TokyoASA(config-route-map)# match ip ?
route-map mode commands/options:
address Match address of route or match packet
next-hop Match next-hop address of route
route-source Match advertising source address of route
TokyoASA(config-route-map)# match ip address FILTER-ACL
TokyoASA(config-route-map)# route-map RIPv2 permit 10
match ip address FILTER-ACL
match interface inside
TokyoASA(config-router)# redistribute connected route-map RIPv2 metric 13
About rest of the match conditions, I’ll cover them when talking about OSPF in ASA.
TokyoASA(config-route-map)# match route-type ?
route-map mode commands/options:
external Match external route (OSPF type 1/2)
internal Match internal route (including OSPF intra/inter area)
local Match locally generated route
nssa-external Match nssa-external route (OSPF type 1/2)
Filtering out routes in updates.
If you want to filter some networks in updates use distribute-list.
TokyoASA(config-router)# distribute-list MYACL ?
router mode commands/options:
in Filter incoming routing updates
out Filter outgoing routing updates
Now some debug is due.
Enable rip debug:
TokyoASA1# debug rip
TokyoASA1# sh debug
debug rip routing
debug rip database
debug rip events
Normal functioning protocol debug output:
add 10.0.2.0 255.255.255.0 via 0.0.0.0, connected metric [0/0]network
0.0.6.136 is now variably masked
add 136.6.0.0 255.255.0.0 via 0.0.0.0, connected metric [0/0]
RIP-DB: redist 10.0.0.0 255.255.255.0(metric 0, last interface dmz1) to RIP
RIP-DB: redist 10.0.2.0 255.255.255.0(metric 0, last interface dmz1) to RIP
RIP-DB: Get redist for network 10.0.2.0
RIP-DB: adding 10.0.2.0 255.255.255.0 (metric 0) via 0.0.0.0 on Ethernet0/2.120 to RIP database
RIP-DB: rip_create_ndb create 10.0.2.0 255.255.255.0, (best metric 4294967295)
RIP-DB: rip_create_rdb Create 10.0.2.0 255.255.255.0, (metric 0) via 0.0.0.0, Ethernet0/2.120(permanent)
RIP-DB: add 10.0.2.0 255.255.255.0 (metric 0) via 0.0.0.0 on Ethernet0/2.120 (donot_age)
RIP-DB: Adding new rndb entry 10.0.2.0 255.255.255.0
RIP-DB: rip_create_ndb create 10.0.0.0 255.0.0.0, (best metric 4294967295)
RIP-DB: rip_create_rdb Create 10.0.0.0 255.0.0.0, (metric 0) via 0.0.0.0, Null0(permanent)
RIP-DB: Created rip ndb summary entry for 10.0.0.0 255.0.0.0
RIP-DB: Adding new rndb entry 10.0.0.0 255.0.0.0 rip_route_adjust for dmz1 coming up
RIP: sending request on dmz1 to 224.0.0.9 rip_route_adjust for dmz1 coming up
RIP: sending request on dmz1 to 224.0.0.9
RIP: sending v2 flash update to 224.0.0.9 via dmz1 (10.0.2.120)
RIP: build flash update entries – suppressing null update
RIP: sending v2 update to 224.0.0.9 via dmz1 (10.0.2.120)
RIP: build update entries – suppressing null update
Now the authentication has been enabled but keys on 2 peers are not the same:
RIP: sending v2 update to 224.0.0.9 via inside (136.6.121.12)
RIP: build update entries
10.0.0.0 255.255.255.0 via 0.0.0.0, metric 1, tag 0 136.6.23.0 255.255.255.0 via 0.0.0.0, metric 2, tag 0 136.6.123.0 255.255.255.0 via 0.0.0.0, metric 1, tag 0 136.6.124.0 255.255.255.0 via 0.0.0.0, metric 1, tag 0
RIP: Update contains 4 routes
RIP: Update queued
RIP: sending v2 update to 224.0.0.9 via dmz1 (10.0.0.120)
RIP: build update entries
136.6.23.0 255.255.255.0 via 0.0.0.0, metric 2, tag 0 136.6.121.0 255.255.255.0 via 0.0.0.0, metric 1, tag 0 136.6.123.0 255.255.255.0 via 0.0.0.0, metric 1, tag 0 136.6.124.0 255.255.255.0 via 0.0.0.0, metric 1, tag 0
RIP: Update contains 4 routes
RIP: Update queued
RIP: Update sent via inside rip-len:92
RIP: Update sent via dmz1 rip-len:92
RIP: ignored v2 packet from 136.6.123.3 (invalid authentication)
RIP: sending v2 update to 224.0.0.9 via inside (136.6.121.12)
RIP: build update entries
10.0.0.0 255.255.255.0 via 0.0.0.0, metric 1, tag 0 136.6.23.0 255.255.255.0 via 0.0.0.0, metric 2, tag 0 136.6.123.0 255.255.255.0 via 0.0.0.0, metric 1, tag 0 136.6.124.0 255.255.255.0 via 0.0.0.0, metric 1, tag 0
RIP: Update contains 4 routes
RIP: Update queued
RIP: sending v2 update to 224.0.0.9 via dmz1 (10.0.0.120)
RIP: build update entries