Solved: OSPF - How to handle VPN pool subnet?

dkraut · ‎12-26-2012

Hi All, hopefully someone can point me in the right direction here.... I recently setup a Cisco ASA VPN at our colo for remote users, which is working fine for local subnet access. However, I cannot connect to resources at remote sites across the WAN. I've narrowed down the problem to routing since I see ping requests being sent, but I'm never getting a reply. The issue is that I use OSPF to advertise my WAN routes, but the ASA VPN gives out addresses from an isolated pool inside the ASA (10.10.131.x/24). The 10.10.131.x network is not used anywhere else and thus not advertised in OSPF so remote sites have no idea how to route back to the originating VPN client (e.g, 10.10.131.50). So my question is, how do you insert a route into OSPF for which there is no actual interface that is up? I need to advertise 10.10.131.0 0.0.0.255 as coming from the colo, but how? I'm thinking the answer may be to simply create a loopback interface on the L3 switch at the colo, assign it 10.10.131.1 and then add "network 10.10.131.0 0.0.0.255" to my router ospf 1 instance? Does this sound like the correct approach?

Edison Ortiz · ‎12-26-2012

Create an IP route on the router connected to the ASA and redistribute that static route into OSPF.

View solution in original post

Edison Ortiz · ‎12-26-2012

Create an IP route on the router connected to the ASA and redistribute that static route into OSPF.

dkraut · ‎12-26-2012

Thanks Edison! That did the trick!

To possibly help others, here's what I did.

On L3 Switch at colo,

! this line will create the static route from the ASA VPN Pool to the inside interface of the ASA

conf t

ip route 10.10.131.0 255.255.255.0 10.30.0.1

! this will redistribute the static route into OSPF

! if using classful route, use "redistribute static" command, if using classless, use "redistribute static subnets"

conf t

router ospf 1

redistribute static subnets

That's it! check the routes on your far end devices using "show ip route ospf" and you should now see the route back to the VPN Pool and traffic should flow as expected to/from VPN clients.

Thanks again Edison!!

dkraut · ‎02-13-2013

Wanted to add a caveat to this thread. Be careful when adding the redistribute static or redistribute static subnet command in an OSPF environment. Carefully consider any existing static routes on that device because they will be advertised via OSPF as local to that device! For example, say you have a floating static route on the device that is used as a secondary path to an ASA L2L tunnel in case the main link were to go down (e.g., on your device you have "IP route 10.10.10.0 255.255.255.0 10.30.0.2 200"). Now even though 10.10.10.0/24 may be a remote site, OSPF will advertise that route and tell it's neighbors that it has 10.10.10.0/24. This will make for some really fun troubleshooting down the road. I learned this the hard way.

Now I'm back to the drawing board for my remote access VPN issue. A new vlan is looking like a better solution...

Sonain Zia · ‎07-07-2013

I think what you can do is create a route map and filter your static routes with ACL and then redistribute in OSPF.

Sonain

jmanning@contego.net · ‎12-03-2018

Sonain's post should be the one marked as the solution.

you will create a prefix list, then route map, then under the ospf process:

redistribute static subnets route-map "route_map_name"