Cisco ASA OSPF Distinct Networks

kleinhhl · ‎07-28-2022

We have a Cisco Firepower 2110 running ASA 9.16. Remote VPN users log in to the ASA via AnyConnect and receive an IP address from a VPN pool depending on whether they are in a certain Active Directory group.

VPN users log in with different user names to access three different networks. These are separate and distinct networks that don't have any interconnections. The Cisco ASA is the only point in which they meet.

I am trying to use OSPF to distribute the VPN user's IP address to each network. The VPN user's IP address is from a different pool depending on which username they use to log in, as stated above.

Cisco ASA can support two OSPF processes. How do I keep the route distributions separate for each of the three networks connecting to the ASA? I believe I can keep two networks separate by running two processes? But how do I handle the third network? A different area within one of the OSPF processes? Or by using OSPF route filtering?

MHM Cisco World · ‎07-28-2022

You can
ASA-R/L3SW
in R/L3SW
config three static router
ip route VPN Pool 1 ASA
ip route VPN Pool 2 ASA
ip route VPN Pool 3 ASA

then if you run OSPF in R/L3SW redistribute the three static route.

MHM Cisco World · ‎07-29-2022

for isolation do that with Routing meaning you need to run virtual network in all your topology.
try instead use ACL to filter traffic between the VPN Pool.

paul driver · ‎07-28-2022

Hello
If FTD support VRF's then you can segregate the three networks so to have them running within there own isolated rib tables

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

kleinhhl · ‎08-01-2022

Thanks for the responses... I'll review this information and see what the best way to proceed is...