cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6521
Views
5
Helpful
6
Replies

AnyConnect SSL and Reverse Route Injection

mabrito
Level 1
Level 1

I am looking to enable Reverse Route Injection for our AnyConnect SSL clients and clear up a few static IP routes in our environment as we expand and have routing protocols take over. 

 

I guess to start at, I am not clear if RRI is supported for AnyConnect SSL clients? My knowledge of enabling RRI is on the Crypto Maps and I am not clear if AnyConnect SSL uses a Crypto Map (think there only used for IPSEC)? Clarification here would be very beneficial.

 

If RRI cannot be used for AnyConnect SSL, is the only way to inject AnyConnect SSL routes of the users is to redistribute connected routes? I haven't tried this personally yet at least, but if this is the only way, can I at least place a route map of allowed network ranges to the redistribute connected statement?

1 Accepted Solution

Accepted Solutions

I think it is not working, because your prefix mask is looking exactly for 192.152.4.0/27, but the routes in the routing table are /32, so you could modify the prefix list to redistribute routes for single IPs:

prefix-list PL-VPN-NETWORKS seq 5 permit 192.152.4.0/27 ge 32

or configure a static route for the /27 network:

route outside 192.152.4.0 255.255.255.224 1.1.1.1

View solution in original post

6 Replies 6

Bogdan Nita
VIP Alumni
VIP Alumni

I believe RRI for anyconnect is on by default, when a client connects, a route for the /32 of the clients IP shows up in the routing table, which can then be advertised. 

You may want to summarize the route, so you could configure a static route, put the network in a route map and redistribute static.

 

HTH

Bogdan

So I tried putting in a config today with no success. 

 

I do see this entry in the routing table on the ASA:

 

V        192.152.4.1 255.255.255.255 connected by VPN (advertised)

 

I put in the following statements:

 

prefix-list PL-VPN-NETWORKS description USE THIS RT-map for controlling insertion of AnyConnect VPN Routes
prefix-list PL-VPN-NETWORKS seq 5 permit 192.152.4.0/27

 

route-map RM-VPN-RRI permit 10
match ip address prefix-list PL-VPN-NETWORKS
set metric 1200

 

redistribute static route-map RM-VPN-RRI

 

You mention putting in a static route. Can you explain this a little further? Confused on what the static route would look like (and what interface) since the route is already a /32 in the routing table.

I think it is not working, because your prefix mask is looking exactly for 192.152.4.0/27, but the routes in the routing table are /32, so you could modify the prefix list to redistribute routes for single IPs:

prefix-list PL-VPN-NETWORKS seq 5 permit 192.152.4.0/27 ge 32

or configure a static route for the /27 network:

route outside 192.152.4.0 255.255.255.224 1.1.1.1

The prefix list adjustment did the trick!

 

 

That ge 32 is a smart trick!
I will consider this when migrating to OSPF as on site IGP.

Thank you very much for the prefix-list trick.  I was puzzling over this myself and this forum post came up in my Google search.  It's now working fine for me!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: