本文檔介紹如何配置Cisco Adaptive Security Appliance(ASA),以便通過ASA軟體版本9.x及更高版本支援的增強型內部網關路由協定(EIGRP)獲知路由並執行身份驗證。
思科要求在嘗試此設定之前符合以下條件:
本文中的資訊係根據以下軟體和硬體版本:
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路正在作用,請確保您已瞭解任何指令可能造成的影響。
Cisco ASA代碼版本8.4.4.1及更高版本將動態路由從主用裝置同步到備用裝置。此外,刪除路由也會同步到備用單元。然而,對等鄰接關係的狀態不是同步的;只有ACTIVE裝置維護鄰居狀態並主動參與動態路由。請參閱ASA常見問題:如果動態路由已同步,故障切換後會發生什麼情況?以獲取更多資訊。
本節介紹如何設定本檔案中涵蓋的功能。
本檔案會使用以下網路設定:
在圖示的網路拓撲中,Cisco ASA內部介面IP地址為10.10.10.1/24。目標是在Cisco ASA上配置EIGRP,以便通過相鄰路由器(R1)動態學習到內部網路(10.20.20.0/24、172.18.124.0/24和192.168.10.0/24)的路由。R1通過另外兩台路由器(R2和R3)獲知到遠端內部網路的路由。
ASDM是一種基於瀏覽器的應用程式,用於配置和監控安全裝置上的軟體。ASDM從安全裝置載入,然後用於配置、監控和管理裝置。您還可以使用ASDM啟動程式以比Java小程式更快的速度啟動ASDM應用程式。本節介紹使用ASDM配置本文檔中所述功能所需的資訊。
完成以下步驟,以便在Cisco ASA中配置EIGRP。
只有具有屬於所定義網路的IP地址的介面才能參與EIGRP路由過程。如果您不想參與EIGRP路由但連線到要通告的網路的介面,請在Setup > Networks頁籤上配置一個網路條目,該條目涵蓋該介面所連線的網路,然後將該介面配置為被動介面,以使該介面無法傳送或接收EIGRP更新。
Cisco ASA支援對來自EIGRP路由協定的路由更新進行MD5身份驗證。每個EIGRP資料包中帶有MD5鍵的摘要可防止從未經批准的來源引入未經授權的或錯誤的路由消息。在EIGRP消息中新增身份驗證可確保您的路由器和思科ASA只接受來自配置了相同預共用金鑰的其他路由裝置的路由消息。如果沒有配置此身份驗證,如果有人將具有不同或相反路由資訊的另一個路由裝置引入網路,您的路由器或Cisco ASA上的路由表可能會損壞,並可能引發拒絕服務攻擊。當您在路由裝置(包括ASA)之間傳送的EIGRP消息中新增身份驗證時,可以防止在路由拓撲中未經授權新增EIGRP路由器。
EIGRP路由身份驗證是按介面配置的。為EIGRP消息身份驗證配置的介面上的所有EIGRP鄰居必須配置相同的身份驗證模式和建立鄰接關係的金鑰。
完成以下步驟,以便在Cisco ASA上啟用EIGRP MD5身份驗證。
使用EIGRP,您可以控制傳送和接收的路由更新。在本示例中,您將阻止ASA上位於R1後面的網路字首192.168.10.0/24的路由更新。對於路由過濾,您只能使用標準ACL。
access-list eigrp standard deny 192.168.10.0 255.255.255.0
access-list eigrp standard permit any
router eigrp 10
distribute-list eigrp in
ASA(config)# show access-list eigrp
access-list eigrp; 2 elements; name hash: 0xd43d3adc
access-list eigrp line 1 standard deny 192.168.10.0 255.255.255.0 (hitcnt=3) 0xeb48ecd0
access-list eigrp line 2 standard permit any4 (hitcnt=12) 0x883fe5ac
這是Cisco ASA CLI配置。
!outside interface configuration
interface GigabitEthernet0/0
description outside interface connected to the Internet
nameif outside
security-level 0
ip address 198.51.100.120 255.255.255.0
!
!inside interface configuration
interface GigabitEthernet0/1
description interface connected to the internal network
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
!EIGRP authentication is configured on the inside interface
authentication key eigrp 10 cisco123 key-id 1
authentication mode eigrp 10 md5
!
!management interface configuration
interface Management0/0
nameif management
security-level 99
ip address 10.10.20.1 255.255.255.0 management-only
!
!
!EIGRP Configuration - the CLI configuration is very similar to the
!Cisco IOS router EIGRP configuration.
router eigrp 10
no auto-summary
eigrp router-id 10.10.10.1
network 10.10.10.0 255.255.255.0
!
!This is the static default gateway configuration
route outside 0.0.0.0 0.0.0.0 198.51.100.1 1
這是R1(內部路由器)的CLI配置。
!!Interface that connects to the Cisco ASA. Notice the EIGRP authentication
paramenters.
interface FastEthernet0/0
ip address 10.10.10.2 255.255.255.0
ip authentication mode eigrp 10 md5
ip authentication key-chain eigrp 10 MYCHAIN
!
!
! EIGRP Configuration
router eigrp 10
network 10.10.10.0 0.0.0.255
network 10.20.20.0 0.0.0.255
network 172.18.124.0 0.0.0.255
network 192.168.10.0
no auto-summary
完成以下步驟以驗證您的設定。
ciscoasa# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 100.10.10.2 to network 0.0.0.0
C 198.51.100.0 255.255.255.0 is directly connected, outside
D 192.168.10.0 255.255.255.0 [90/131072] via 10.10.10.2, 0:32:29, inside
D 172.18.124.0 255.255.255.0 [90/131072] via 10.10.10.2, 0:32:29, inside
C 127.0.0.0 255.255.0.0 is directly connected, cplane
D 10.20.20.0 255.255.255.0 [90/28672] via 10.10.10.2, 0:32:29, inside
C 10.10.10.0 255.255.255.0 is directly connected, inside
C 10.10.20.0 255.255.255.0 is directly connected, management
S* 0.0.0.0 0.0.0.0 [1/0] via 198.51.100.1, outside
ciscoasa(config)# show route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
D 192.168.10.0 255.255.255.0 [90/131072] via 10.10.10.2, 0:32:29, inside
D 172.18.124.0 255.255.255.0 [90/131072] via 10.10.10.2, 0:32:29, inside
D 10.20.20.0 255.255.255.0 [90/28672] via 10.10.10.2, 0:32:29, inside
ciscoasa# show eigrp topology
EIGRP-IPv4 Topology Table for AS(10)/ID(10.10.10.1)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 10.20.20.0 255.255.255.0, 1 successors, FD is 28672
via 10.10.10.2 (28672/28416), GigabitEthernet0/1
P 10.10.10.0 255.255.255.0, 1 successors, FD is 2816
via Connected, GigabitEthernet0/1
P 192.168.10.0 255.255.255.0, 1 successors, FD is 131072
via 10.10.10.2 (131072/130816), GigabitEthernet0/1
P 172.18.124.0 255.255.255.0, 1 successors, FD is 131072
via 10.10.10.2 (131072/130816), GigabitEthernet0/1
ciscoasa# show eigrp neighbors
EIGRP-IPv4 neighbors for process 10
H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms)Cnt Num
0 10.10.10.2 Gi0/1 12 00:39:12 107 642 0 1
以下是封包流量。
本節包含有關debug和show命令的資訊,這些命令可用於排除EIGRP問題。
輸出直譯器工具(僅供已註冊客戶使用)(OIT)支援某些show命令。使用OIT檢視show指令輸出的分析。
這是debug命令在與R1成功對等時的輸出。您可以看到系統上成功安裝的每個不同路由。
EIGRP-IPv4(Default-IP-Routing-Table:10): Callback: route_adjust GigabitEthernet0/1
DUAL: dest(10.10.10.0 255.255.255.0) not active
DUAL: rcvupdate: 10.10.10.0 255.255.255.0 via Connected metric 2816/0 on topoid 0
DUAL: Find FS for dest 10.10.10.0 255.255.255.0. FD is 4294967295, RD is 4294967
295 on topoid 0 found
DUAL: RT installed 10.10.10.0 255.255.255.0 via 0.0.0.0
DUAL: Send update about 10.10.10.0 255.255.255.0. Reason: metric chg on topoid
0
DUAL: Send update about 10.10.10.0 255.255.255.0. Reason: new if on topoid 0
DUAL: dest(10.20.20.0 255.255.255.0) not active
DUAL: rcvupdate: 10.20.20.0 255.255.255.0 via 10.10.10.2 metric 28672/28416 on t
opoid 0
DUAL: Find FS for dest 10.20.20.0 255.255.255.0. FD is 4294967295, RD is 4294967
295 on topoid 0 found
EIGRP-IPv4(Default-IP-Routing-Table:10): route installed for 10.20.20.0 ()
DUAL: RT installed 10.20.20.0 255.255.255.0 via 10.10.10.2
DUAL: Send update about 10.20.20.0 255.255.255.0. Reason: metric chg on topoid
0
DUAL: Send update about 10.20.20.0 255.255.255.0. Reason: new if on topoid 0
DUAL: dest(172.18.124.0 255.255.255.0) not active
DUAL: rcvupdate: 172.18.124.0 255.255.255.0 via 10.10.10.2 metric 131072/130816
on topoid 0
DUAL: Find FS for dest 172.18.124.0 255.255.255.0. FD is 4294967295, RD is 42949
67295 on topoid 0 found
EIGRP-IPv4(Default-IP-Routing-Table:10): route installed for 172.18.124.0 ()
DUAL: RT installed 172.18.124.0 255.255.255.0 via 10.10.10.2
DUAL: Send update about 172.18.124.0 255.255.255.0. Reason: metric chg on topoi
d 0
DUAL: Send update about 172.18.124.0 255.255.255.0. Reason: new if on topoid 0
DUAL: dest(192.168.10.0 255.255.255.0) not active
DUAL: rcvupdate: 192.168.10.0 255.255.255.0 via 10.10.10.2 metric 131072/130816
on topoid 0
DUAL: Find FS for dest 192.168.10.0 255.255.255.0. FD is 4294967295, RD is 42949
67295 on topoid 0 found
EIGRP-IPv4(Default-IP-Routing-Table:10): route installed for 192.168.10.0 ()
DUAL: RT installed 192.168.10.0 255.255.255.0 via 10.10.10.2
DUAL: Send update about 192.168.10.0 255.255.255.0. Reason: metric chg on topoi
d 0
DUAL: Send update about 192.168.10.0 255.255.255.0. Reason: new if on topoid 0
您還可以使用debug eigrp neighbor命令。這是debug命令的輸出,當Cisco ASA成功建立與R1的新鄰居關係時。
ciscoasa# EIGRP-IPv4(Default-IP-Routing-Table:10): Callback: route_adjust Gigabi
tEthernet0/1
EIGRP: New peer 10.10.10.2
EIGRP-IPv4(Default-IP-Routing-Table:10): route installed for 10.20.20.0 ()
EIGRP-IPv4(Default-IP-Routing-Table:10): route installed for 172.18.124.0 ()
EIGRP-IPv4(Default-IP-Routing-Table:10): route installed for 192.168.10.0 ()
您還可以使用debug EIGRP packets來瞭解Cisco ASA與其對等裝置之間的詳細EIGRP消息交換資訊。在本例中,路由器(R1)上的身份驗證金鑰已更改,調試輸出顯示問題出在身份驗證不匹配。
ciscoasa# EIGRP: Sending HELLO on GigabitEthernet0/1
AS 655362, Flags 0x0, Seq 0/0 interfaceQ 1/1 iidbQ un/rely 0/0
EIGRP: pkt key id = 1, authentication mismatch
EIGRP: GigabitEthernet0/1: ignored packet from 10.10.10.2, opcode = 5
(invalid authentication)
EIGRP分發清單中的任何更改都會導致ASA丟棄EIGRP鄰居關係。出現此Syslog消息。
EIGRP Nieghborship Resets with syslogs ASA-5-336010: EIGRP-IPv4: PDM(314 10:
Neighbor 10.15.0.30 (GigabitEthernet0/0) is down: route configuration changed
透過此設定,每當在ACL中新增一個acl專案時,Eigrp-network-list EIGRP鄰居就會重設。
router eigrp 10
distribute-list Eigrp-network-list in
network 10.10.10.0 255.0.0.0
passive-interface default
no passive-interface inside
redistribute static
access-list Eigrp-network-list standard permit any
您可以觀察到,相鄰裝置的鄰居關係已啟動。
ciscoasa(config)# show eigrp neighbors
EIGRP-IPv4 neighbors for process 10
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 10.10.10.2 Gi0/3 10 00:01:22 1 5000 0 5
ciscoasa(config)# show eigrp neighbors
EIGRP-IPv4 neighbors for process 10
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 10.10.10.2 Gi0/3 13 00:01:29 1 5000 0 5
現在您可以新增access-list Eigrp-network-list standard deny 172.18.24.0 255.255.255.0。
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'debug
eigrp fsm'
%ASA-7-111009: User 'enable_15' executed cmd: show access-list
%ASA-5-111008: User 'enable_15' executed the 'access-list Eigrp-network-list line
1 permit 172.18.24.0 255.255.255.0' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'access-list
Eigrp-network-list line 1 permit 172.18.24.0.0 255.255.255.0'
%ASA-7-111009: User 'enable_15' executed cmd: show eigrp neighbors
%ASA-5-336010: EIGRP-IPv4: PDM(599 10: Neighbor 10.10.10.2 (GigabitEthernet0/3) is
down: route configuration changed
%ASA-5-336010: EIGRP-IPv4: PDM(599 10: Neighbor 10.10.10.2 (GigabitEthernet0/3) is
up: new adjacency
可以在debug eigrp fsm中看到這些日誌。
IGRP2: linkdown: start - 10.10.10.2 via GigabitEthernet0/3
DUAL: Destination 10.10.10.0 255.255.255.0 for topoid 0
DUAL: linkdown: finish
從8.4和8.6到9.1的所有新ASA版本中都會出現此行為。運行12.4到15.1代碼系列的路由器中也會出現此行為。但是,在ASA 8.2版和更早的ASA軟體版本中不會出現此行為,因為對ACL所做的更改不會重置EIGRP鄰接關係。
由於EIGRP在鄰居第一次出現時將完整的拓撲表傳送給鄰居,然後只傳送更改,因此配置具有EIGRP事件驅動性質的分發清單會使更改很難在沒有完全重置鄰居關係的情況下應用。路由器需要跟蹤傳送到鄰居和從鄰居收到的每個路由,以便知道哪個路由已更改(即將被傳送/接受),以便應用當前分發清單規定的更改。簡單拆毀和重新建立相鄰關係要容易得多。
當鄰接關係斷開並重新建立時,會忘記特定鄰居之間所有獲知的路由,並且重新執行鄰居之間的整個同步 — 新分發清單就位。
您用於Cisco IOS路由器故障排除的大部分EIGRP技術都可以應用於Cisco ASA。要排除EIGRP故障,請使用主故障排除流程圖;從標籤為Main的框開始。
修訂 | 發佈日期 | 意見 |
---|---|---|
1.0 |
13-May-2015 |
初始版本 |