cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
433
Views
0
Helpful
1
Replies

Dynamic routing protocol between ASAs over ipsec L2L?

3moloz123
Level 1
Level 1

I wonder if there is any possibility to form a neighborship between two ASAs over an ipsec site-to-site. The ASAs are in the picture named "office" and "DC". In reality there's +40 subnets, and is often the subject to human error. The DC ASA often get new routes to remote network, either over l2l or physically connected or otherwise routed. I now wonder if there is a possiblity to run OSPF or EIGRP, or similar, across a l2l tunnel so that I would only have to add routing at the DC location, and of course proper access-lists, and those routes would propagate out to the office and possibly other branches.

After some googling, I think it seems not doable at least with OSPF - but Im not sure. I hope the picture makes more sense then my explanation.

My objective is, in short:

Be able to add or learn a route for DC ASA, and have that propagated to office. without tunnel everything or all rfc1918s (the office asa does have other remote location, so a generic rfc1918 object would not be suitable to the DC ASA).

Thanks in advance

1 Reply 1

Hello.

It's not possible to run OSPF or EIGRP in your case.

I guess BGP could help you, but ASA doesn't support it.

I also think, that even if wou ran dynamic protocol, you would face an issue with encryption ACL.

Per my understanding the best soultion would be to use sinlge summary for all the subnets you allocate per site.

Review Cisco Networking for a $25 gift card