Cisco ASA 5505 Configuration Manual page 386

Information About OSPF
The adaptive security appliance can run two processes of OSPF protocol simultaneously, on different
sets of interfaces. You might want to run two processes if you have interfaces that use the same IP
addresses (NAT allows these interfaces to coexist, but OSPF does not allow overlapping addresses). Or
you might want to run one process on the inside, and another on the outside, and redistribute a subset of
routes between the two processes. Similarly, you might need to segregate private addresses from public
addresses.
You can redistribute routes into an OSPF routing process from another OSPF routing process, a RIP
routing process, or from static and connected routes configured on OSPF-enabled interfaces.
The adaptive security appliance supports the following OSPF features:
Support of intra-area, interarea, and external (Type I and Type II) routes.
•
Support of a virtual link.
•
OSPF LSA flooding.
•
Authentication to OSPF packets (both password and MD5 authentication).
•
Support for configuring the adaptive security appliance as a designated router or a designated
•
backup router. The adaptive security appliance also can be set up as an ABR.
Support for stub areas and not-so-stubby-areas.
•
Area boundary router Type-3 LSA filtering.
OSPF supports MD5 and clear text neighbor authentication. Authentication should be used with all
routing protocols when possible because route redistribution between OSPF and other protocols (like
RIP) can potentially be used by attackers to subvert routing information.
If NAT is used, if OSPF is operating on public and private areas, and if address filtering is required, then
you need to run two OSPF processes—one process for the public areas and one for the private areas.
A router that has interfaces in multiple areas is called an Area Border Router (ABR). A router that acts
as a gateway to redistribute traffic between routers using OSPF and routers using other routing protocols
is called an Autonomous System Boundary Router (ASBR).
An ABR uses LSAs to send information about available routes to other OSPF routers. Using ABR Type
3 LSA filtering, you can have separate private and public areas with the adaptive security appliance
acting as an ABR. Type 3 LSAs (inter-area routes) can be filtered from one area to other. This lets you
use NAT and OSPF together without advertising private networks.
Only Type 3 LSAs can be filtered. If you configure the adaptive security appliance as an ASBR in a
Note
private network, it will send Type 5 LSAs describing private networks, which will get flooded to the
entire AS including public areas.
If NAT is employed but OSPF is only running in public areas, then routes to public networks can be
redistributed inside the private network, either as default or Type 5 AS External LSAs. However, you
need to configure static routes for the private networks protected by the adaptive security appliance.
Also, you should not mix public and private networks on the same adaptive security appliance interface.
You can have two OSPF routing processes, one RIP routing process, and one EIGRP routing process
running on the adaptive security appliance at the same time.
Cisco ASA 5500 Series Configuration Guide using ASDM
21-2
Chapter 21 Configuring OSPF
OL-20339-01