04-08-2018 12:44 PM - edited 02-21-2020 07:36 AM
I have setup remote access VPN on 6.2.3. I am able to connect from any device but I am unable to access any internal network. I have the NAT exemptions and networks allowed in the access policy. But the FTD does not redistribute the static route for the VPN network to the switch connected to it. Due to this issue there is no route to the VPN network from inside networks.
I am able to find documentation on setting up remote access VPN and I can find documentation on setting up OSPF, but redistributing static routes doesn't work.
Has anyone successfully set this up?
04-08-2018 05:59 PM
Hi
Can you share your config?
How did you managed the redistribution?
You can create a prefix-list with a route-map and redistribute it into ospf. The prefix-list would be: (let's assume your anyconnect pool is 192.168.1.0/24)
prefix-list VPN seq 1 permit 192.168.1.0/24 le 32
Or you can create a static route of this complete subnet to null0 and redistribute it to ospf.
04-09-2018 12:36 PM
10.10.10.10 is the ip of the inside interface
10.5.0.0/24 is the vpn subnet
router ospf 1
router-id 10.10.10.10
network 10.10.10.10 255.255.255.255 area 0
network 10.50.0.0 255.255.255.0 area 0
no nsf cisco helper
no nsf ietf helper
no capability opaque
no capability lls
log-adj-changes
redistribute static metric-type 1
default-information originate always
!
route Vlan999 0.0.0.0 0.0.0.0 555.555.555.2 1
route Vlan999 10.50.0.0 255.255.255.0 555.555.555.2 1
With this configuration I only get the default route on the switch behind the FTD:
4507R#show ip route ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 10.10.10.10 to network 0.0.0.0
O*E2 0.0.0.0/0 [110/1] via 10.10.10.10, 1w2d, Vlan909
4507R#
04-09-2018 06:25 PM
04-10-2018 06:36 PM
Yes, I can connect a client to the VPN and a separate static route for that client shows up.
I tried creating a static route on the FTD for the VPN network (10.50.0.0/24) but it still does not redistribute static routes to the switch.
> show route static
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 222.222.222.222 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 222.222.222.222, Vlan999
S 10.50.0.0 255.255.255.0 is directly connected, Null0
V 10.50.0.11 255.255.255.255 connected by VPN (advertised), Vlan999
Thanks again for helping.
04-10-2018 07:01 PM
04-11-2018 06:02 AM
vlan 999 is the vlan on the outside interface. vlan 909 is the inside interface vlan
No the network does not exist in the ospf database on the switch.
04-11-2018 06:41 PM
04-12-2018 07:01 AM
I had that there to try it. I removed now because it didn't work.
I have opened up a TAC case now as there might be something else wrong. The engineer is going to reproduce my setup which is basic Remote Access VPN with the remote access vpn network redistributed into OSPF.
I will let you know if they find anything.
04-12-2018 02:45 PM
The "subnets" checkbox needs to be check in order to redistribute static routes.
04-12-2018 07:11 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: