Deployment Scenarios

SecureMe is deploying a new Cisco ASA 5520 at a remote branch office in San Diego, California. The security administrator wants the Cisco ASA to learn all internal routes via OSPF. All routing updates should be authenticated using MD5. Additionally the security administrator wants to enable IP multicast routing and configure a static PIM RP.

Deploying OSPF

Figure 6-11 illustrates San Diego's network topology. There is a router (R1) in the inside of the Cisco ASA that has a connection to three other routers (R2, R3, and R4).

Figure 6-11. San Diego's Network Topology

[View full size image]

The goal is for the Cisco ASA to learn all authenticated routes from R1 via OSPF and to advertise a default route to the internal network. The following steps are completed to achieve this goal.

Step 1.	An OSPF process (1) is enabled on the Cisco ASA: SanDiego# configure terminal SanDiego(config)# router ospf 1
Step 2.	The internal network is added to the OSPF process to enable OSPF on the inside interface: SanDiego(config-router)# network 192.168.205.0 255.255.255.0 area 0
Step 3.	The command default-information originate always is entered for the Cisco ASA to send the inside interface's address as the default gateway to the internal devices: SanDiego(config-router)# default-information originate always
Step 4.	OSPF authentication using MD5 is configured on the Cisco ASA under the OSPF process and inside interface: SanDiego(config-router)# area 0 authentication message-digest SanDiego(config-router)# exit SanDiego(config)# interface GigabitEthernet0/1 SanDiego(config-if)# ospf message-digest-key 1 md5 cisco SanDiego(config-if)# ospf authentication message-digest The MD5 key ID is 1 and the password is cisco.
Step 5.	The show ospf command is issued to verify that OSPF is enabled: SanDiego# show ospf Routing Process "ospf 1" with ID 192.168.205.100 and Domain ID 0.0.0.1 Supports only single TOS(TOS0) routes Does not support opaque LSA It is an autonomous system boundary router Redistributing External Routes from, SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs Number of external LSA 1. Checksum Sum 0x e4ab Number of opaque AS LSA 0. Checksum Sum 0x 0 Number of DCbitless external and opaque AS LSA 0 Number of DoNotAge external and opaque AS LSA 0 Number of areas in this router is 1. 1 normal 0 stub 0 nssa External flood list length 0 Area BACKBONE(0) Number of interfaces in this area is 1 Area has message digest authentication SPF algorithm executed 12 times Area ranges are Number of LSA 4. Checksum Sum 0x 2430a Number of opaque link LSA 0. Checksum Sum 0x 0 Number of DCbitless LSA 0 Number of indication LSA 0 Number of DoNotAge LSA 0 Flood list length 0
Step 6.	The show route command is issued to verify the routing table: SanDiego# show route O 192.168.209.0 255.255.255.0 [110/21] via 192.168.205.1, 0:14:55, inside O 192.168.208.0 255.255.255.0 [110/21] via 192.168.205.1, 0:14:55, inside C 209.165.202.156 255.255.255.252 is directly connected, outside C 192.168.205.0 255.255.255.0 is directly connected, inside O 192.168.206.0 255.255.255.0 [110/11] via 192.168.205.1, 0:14:55, inside O 192.168.207.0 255.255.255.0 [110/21] via 192.168.205.1, 0:14:55, inside S* 0.0.0.0 0.0.0.0 [1/0] via 209.165.202.157, outside

Deploying IP Multicast

The security administrator needs to enable PIM and configure R1 as a PIM RP in the Cisco ASA. The following steps are followed to achieve this goal.

Step 1.	The security administrator enables multicast routing on the Cisco ASA: SanDiego# configure terminal SanDiego(config)# multicast-routing
Step 2.	R1's address is configured as a PIM RP in the Cisco ASA: SanDiego(config)# pim rp-address 192.168.205.1
Step 3.	To verify the PIM neighbor relationship, the administrator issues the show pim neighbor command, where the neighbor addresses and the uptime are shown: SanDiego(config)# show pim neighbor Neighbor Address Interface Uptime Expires DR pri Bidir 209.165.202.157 outside 00:08:23 00:01:43 N/A 192.168.205.1 inside 00:09:58 00:01:37 N/A