topic Re: ASA5510 Reverse Route Injection in Network Security

ASA5510 Reverse Route Injection

Scott Pickles — Mon, 11 Mar 2019 16:52:59 GMT

ASA version 8.2

I ran the IPsec wizard on my 5510 for remote access. It would seem that by default ISAKMP is enabled on both the inside and outside interfaces. Furthermore, my default dynamic crypto map is enabled on both the inside and outside interfaces. I would like to enable RRI for pools of addresses assigned to my remote workers. Right now I have static routes - I'd ideally like RRI and redistribution. Enabling RRI fails due to the fact that the dynamic mapping exists on multiple interfaces. When I try to delete the map from the inside interface, it deletes the outside map as well. So my questions are these:

1. Should I have ISAKMP enabled on my inside interface if I'm terminating my VPN tunnels on the outside interface?

2. Is having ISAKMP enabled on the inside interface the reason why deleting the dynamic crypto map on the inside interface also deletes it from the outside interface? (this occurs in the ASDM, haven't tried it on the CLI).

I can concede that I may have to configure this manually on the CLI as opposed to wizards due to the advanced configuration to enable RRI. Any thoughts/suggestions would be appreciated.

Regards,
Scott

Re: ASA5510 Reverse Route Injection

Scott Pickles — Fri, 01 Jan 2010 01:40:34 GMT

I couldn't wait - I disabled ISAKMP and the dynamic map on the inside interface. I was able to configure RRI on the outside interface. I see the static entry on the ASA for the reverse route, but it doesn't appear in the EIGRP topology table. And without it showing up in the topology table, it's not being advertised to neighbors. Now what?

Regards,
Scott

Re: ASA5510 Reverse Route Injection

Kureli Sankar — Fri, 01 Jan 2010 03:07:54 GMT

Scott,

Pls. refer this link below:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809d07de.shtml

The link will talk about ospf.

I did a quick research but didn't find any known issues with RRI and redistribution in 8.2.x code.

-KS

Re: ASA5510 Reverse Route Injection

loizosko — Fri, 19 Nov 2010 05:03:47 GMT

i configured RRI on my asa for a site to site vpn tunnel. however when the tunnel is down the route is still advertised to the network therefore preventing it from going via our altrenative path.

does anybody know how to stop redistributing a remote subnet when the tunnel is down?

Re: ASA5510 Reverse Route Injection

apothula — Fri, 19 Nov 2010 08:43:03 GMT

Hi,

You could use SLA monitoring to help your purpose for L2L VPN's.

Instead of using RRI, you could configure a static route to the remote network via your primary link and a back route to the remote network via your back link.

Configure SLA tracking on the primary route. This should bring your back up route up if the VPN tunnel is down.

Be sure to ping a host in the remote private network for the SLA tracking,

type echo protocol ipIcmpEcho 10.0.0.1 interface outside

10.0.0.1 being a device in the remote network at the other end of the VPN tunnel.

Let me know if you have any questions.

Cheers,

Nash.

Re: ASA5510 Reverse Route Injection

loizosko — Fri, 19 Nov 2010 13:32:11 GMT

this might be a problem since the remote host will respond to icmp going via the backup link.

Re: ASA5510 Reverse Route Injection

apothula — Fri, 19 Nov 2010 13:56:16 GMT

The backup link would not have the same ingress interface as the Primary link. Would it ?

If so we got a problem.

Cheers,

Nash.

Re: ASA5510 Reverse Route Injection

loizosko — Fri, 19 Nov 2010 14:00:10 GMT

the backup link will be from the inside interface. coming off lets say mpls network or another vpn device.

the primary link will be from vpn.

i don't think you can specify a route just to go from a vpn, can you?

Re: ASA5510 Reverse Route Injection

apothula — Fri, 19 Nov 2010 15:06:41 GMT

Consider this set up,

X Y

MPLS---Inside Network---- ASA---Outside/Internet---VPN Tunnel---- ASA/Router----Remote Site network

To get to the Remote site via the VPN tunnel, you obviously need to take the default route.

So, you could add a route to the remote site Network with the internet gateway on the ASA as the next hop.

Something like,

route outside 172.16.10.0 255.255.255.0 64.54.44.34 , 64.54.44.34 being the internet gateway on the ASA.

Cheers,

Nash.