Solved: Redistribute static/connected into ospf on ASA5540

Mirza Arsalan Baig · ‎02-18-2011

Hi,

I have ASA5540 which is working as a VPN server. I want to redistribute all the connected VPN users into network. I have configured below configuration on ASA5540 but unable to see redistributed network on neighbour routers.

router ospf 1
router-id 192.168.1.1
network 192.168.1.1 0.0.0.0 area 0

network 192.168.2.1 0.0.0.0 area 1

network 192.168.3.1 0.0.0.0 area 3

redistribute static subnets
redistribute connected subnets

Please help me.

Regards,

Arsalan

IAN WHITMORE · ‎02-19-2011

It is for reverse route injection (RRI) becaue the routes are not static nor connected. They only "appear" when the client connects to VPN i.e. they are dynamic.

Regards,

Ian

Please rate if I helped.

View solution in original post

IAN WHITMORE · ‎02-19-2011

Are you sure the OSPF neighbors are up correctly? Whay messages do you see in the log on the ASA and/or routers?

Here is a guide:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809a417a.shtml

Regards,

Ian

Please rate if I hepled.

Mirza Arsalan Baig · ‎02-19-2011

Thank for your reply.

Definately OSPF neighbours are wokring fine, even OSPF is working perfectly fine throughout the network. I want ASA should redistribute all the VPN dynamic routes back to network as I have done the required configuration of ASA.

Is there any other way to redistribute static/connected on ASA.

Please do let me know if you understand the scenario and feel free to ask question.

Waiting for your reply.

ALLAH HAFIZ

IAN WHITMORE · ‎02-19-2011

Well without seeing the config it's hard to tell.

Could it be that the VPN routes are bieng NAT'ed on the ASA and therefore not redistributed?

Are the VPN routers correctly advertised on the ASA?

Maybe you need to add somekind of nat exemption for OSPF VPN routes. Like I said, without seeing the config it's a shot in the dark

IAN WHITMORE · ‎02-19-2011

And here is another guide that might help using a route map to redistribute on the ASA:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809d07de.shtml

Hope this helps.

Regards,

Ian

Please rate if I helped.

IAN WHITMORE · ‎02-19-2011

And finally something else I found. It's not mine so I can't take credit for it:

When configuring an ASA for VPN tunnels I like to use the "Reverse Route Injection" feature. This feature automatically installs static routes to destinations defined in your Site-to-Site vpn profiles.

That makes it very easy to automatically inject routes to VPN sites into the routing protocol used on the internal network.

The way I've done it below is simple but powerful. Everytime a new Site-to-Site VPN comes up, the routes are automatically redistributed.

***Note - It was necessary to filter the default static route from the redistribution because it also points to the "outside" interface. The default static route is only for use in routing traffic that flows through this ASA. It must not be redistributed to the internal network.

Configuration:

access-list filter-default-static-route remark filter static default route from OSPF Redistribution
access-list filter-default-static-route standard deny host 0.0.0.0

route-map vpn-routes permit 10
match ip address filter-default-static-route

route-map vpn-routes permit 20
match interface outside
set metric-type type-2

router ospf 1
router-id 192.168.1.1
network 192.168.1.0 255.255.255.0 area 0
redistribute static subnets route-map vpn-route

I think it is essentially the same as the link I posted above.

Regards,

Ian

Mirza Arsalan Baig · ‎02-19-2011

Hi Ian,

Thank you so much for quick replies and the hoping the info you have provided will be helpful.

Is route map is mandatory for redistribution on ASA?

If I have configured

router ospf 1
router-id 192.168.1.1
network 192.168.1.1 0.0.0.0 area 0

network 192.168.2.1 0.0.0.0 area 1

network 192.168.3.1 0.0.0.0 area 3

redistribute static subnets
redistribute connected subnets

so why ASA is not reditributing static and connected. (I have not a defualt route on ASA)

I will test you suggestion on next working day and also waiting for your reply.

Thank you so much.

Best Regards

Arsalan

IAN WHITMORE · ‎02-19-2011

It is for reverse route injection (RRI) becaue the routes are not static nor connected. They only "appear" when the client connects to VPN i.e. they are dynamic.

Regards,

Ian

Please rate if I helped.

Mirza Arsalan Baig · ‎02-19-2011

Okay if it is particularly with ASA, as I have not used route-map on "secure port adapter" (SPA) on 6500 chassy and it redistributing vpn clients ip addresses simply redistribute static/connected.

Thank you once again.

Best regards,

Arsalan

+92-333-2406068