topic Re: Reverse route injection for SSL RA VPN in Network Security

Reverse route injection for SSL RA VPN

AlexFer — Wed, 10 Jul 2019 05:24:21 GMT

Hello experts,

I want to disable RRI for each SSL VPN user, being advertised by EIGRP. The reason is that the subnet is already advertised and I don't see the reason for continuous EIGRP Updates, and of needlessly polluting Routing Table of routers in my network as you see:

router# show ip route | include 10.AAA.BBB.
D EX 10.AAA.BBB.0/24 [170/3072] via 10.101.XXX.YYY, 6d23h, Vlan21
D EX 10.AAA.BBB.29/32 [170/3072] via 10.101.XXX.YYY, 20:38:27, Vlan21
D EX 10.AAA.BBB.34/32 [170/3072] via 10.101.XXX.YYY, 02:55:32, Vlan21
D EX 10.AAA.BBB.35/32 [170/3072] via 10.101.XXX.YYY, 00:00:35, Vlan21
D EX 10.AAA.BBB.36/32 [170/3072] via 10.101.XXX.YYY, 02:55:21, Vlan21
D EX 10.AAA.BBB.37/32 [170/3072] via 10.101.XXX.YYY, 01:28:09, Vlan21
D EX 10.AAA.BBB.38/32 [170/3072] via 10.101.XXX.YYY, 00:00:11, Vlan21

Unlike AnyConnect SSL and Reverse Route Injection, I don't want to change the metric, but rather exclude all /32 advertisements.

I see no direct way of provisioning this (as "set reverse route" was for IPsec), so, what would be best way of achieving this?

R's, Alex

Re: Reverse route injection for SSL RA VPN

GRANT3779 — Wed, 10 Jul 2019 08:07:29 GMT

Hi There,

I don't think you can stop them from being in the routing table of the ASA itself as /32. I believe they are classed as statics.

show route static

If you don't want to advertise the /32s further afield from there you will have to look at what you are doing under the EIGRP process and either stop redistributing statics (if you are) or use some other form of router/redistribution manipulation, e.g prefix lists / route maps. Really depends on the bigger picture of your setup how you should approach it.

Re: Reverse route injection for SSL RA VPN

AlexFer — Thu, 11 Jul 2019 00:00:05 GMT

> ... use some other form of router/redistribution manipulation, e.g prefix lists / route maps.

Indeed, this is what I'm requesting. (I can't imagine I'm the first.)

Something like this?

prefix-list pf_only_non_32 seq 5 permit 10.AAA.BBB.0/24 le 31

route-map rm_only_non_32 permit 10
match ip address prefix-list pf_only_non_32

router eigrp 1
redistribute static route-map rm_only_non_32

Re: Reverse route injection for SSL RA VPN

GRANT3779 — Wed, 10 Jul 2019 09:08:22 GMT

ip prefix-list PF_ANYCONNECT deny 10.AAA.BBB.0/24 ge 32 le 32

route-map rm_only_non_32 permit 10
match ip address prefix-list PF_ANYCONNECT

router eigrp 1
redistribute static route-map rm_only_non_32

I think would work. If you have other statics that you WANT to RD you would need to allow them in the prefix list.

Re: Reverse route injection for SSL RA VPN

AlexFer — Wed, 10 Jul 2019 11:55:37 GMT

Isn’t your Prefix List equivalent to mine, with permit/deny flipped? (I thought I'm taking advantage of implicit/default deny that is applied to unmatched any prefix-list entries).

Re: Reverse route injection for SSL RA VPN

GRANT3779 — Wed, 10 Jul 2019 10:45:16 GMT

Hi,
I misread your initial reply apologies.
I guess it depends on how you are advertising the actual /24.
Is it a case of a static route on a different device pointing to the ASA as next hop? Then advertising the /24 from there?
There will be a few different ways to do this depending on the rest of the setup and what you want to route.

Re: Reverse route injection for SSL RA VPN

AlexFer — Wed, 10 Jul 2019 12:01:37 GMT

There are no static routes to the ASA in adjacent routers - I’m relying on ASA’s EIGRP to advertise route to its VPN assigned IP address space.

I’m open to the best suggestion (but my preference to only change EIGRP configuration on ASA).

Re: Reverse route injection for SSL RA VPN

GRANT3779 — Wed, 10 Jul 2019 13:04:25 GMT

I think the following would allow you to only advertise a /24 from the ASA. Once traffic arrives at the ASA the /32 host routes would be preferred. There will be other ways to achieve the same result.

route null0 10.AAA.BBB.0 255.255.255.0

ip prefix-list PF_ANYCONNECT seq 5 deny 10.AAA.BBB.0/24 ge 32 le 32
ip prefix-list PF_ANYCONNECT seq 10 permit 0.0.0.0/0 le 32

route-map rm_only_non_32 permit 10
match ip address prefix-list PF_ANYCONNECT

router eigrp 1
redistribute static route-map rm_only_non_32

Re: Reverse route injection for SSL RA VPN

AlexFer — Wed, 10 Jul 2019 14:16:11 GMT

I previously proposed:

ip prefix-list pf_only_non_32 seq 5 permit 10.AAA.BBB.0/24 le 31

is it incorrect?

Re: Reverse route injection for SSL RA VPN

GRANT3779 — Wed, 10 Jul 2019 17:05:06 GMT

You would still need to have the /24 in the routing table for it to be sent beyond the ASA if using prefix list.

Re: Reverse route injection for SSL RA VPN

GRANT3779 — Wed, 10 Jul 2019 20:08:28 GMT

Hi Alex,

I have just tested this and works OK

On my LAB ASA I do not have the ability to use route null0 due to the image version I am running. You may have the same issue.

I just added a static route for my whole /24 Anyconnect subnet pointing out one of my physical interfaces to a dummy next hop, just to get the /24 into routing table.

e.g

ROWAN-FW-01(config)# sh run route
route Inside 10.44.66.0 255.255.255.0 1.1.1.2

The rest I configured is below using your own proposal -

route-map RM_RD permit 10
match ip address prefix-list PF_ANYCONNECT

prefix-list PF_ANYCONNECT seq 5 permit 10.44.66.0/24 le 31

router eigrp 10
network 172.16.0.2 255.255.255.255
passive-interface default
no passive-interface Inside
redistribute static route-map RM_RD

My devices within the rest of the network only learn the /24. If I remove the route-map, the learn both /32 and /24.

Hopefully helps you out.

Re: Reverse route injection for SSL RA VPN

AlexFer — Thu, 11 Jul 2019 01:36:38 GMT

Thank you very much.... There's just one more thing...

Currently, there's a large number of /32 static routers already advertised for users that have logged-in into RA VPN Gateway. Once I implement the above filter, no new EIGRP Updates associated will be sent for them (even if I manually issue "no route" for them on the ASA) and those routes will remain in other routers indefinitely.

I don't really want to manually terminate existing VPN sessions (to force EIGRP update before implementing the filter). So, my option seems to issue clear ip eigrp .. neighbors for the ASA's IP address on adjacent router.

Suggestions?

Re: Reverse route injection for SSL RA VPN

GRANT3779 — Fri, 12 Jul 2019 13:27:31 GMT

Hi There,

I'm not sure if when you issue the redistribute command with the filter that everything will be filtered as this may be classed as a routing update, e.g removing existing routes from table so you may not need to clear eigrp neighbour. Once you apply the route-map check the neighbor device routing table to see.

Re: Reverse route injection for SSL RA VPN

AlexFer — Mon, 23 Mar 2020 23:20:16 GMT

Indeed, after implementation, I did NOT need to enter "clear eigrp .. neighbour" - neighbor's topology table reduced (removing RRI routes) within a few minutes.