Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6628
Views
0
Helpful
5
Replies

VPN networks added to routing table ASA 5505's

Alan Herriman
Level 1
Level 1

‎10-31-2013 11:07 AM

Hello,

This is probably a very simple question to answer. Are there supposed to be routes added to the ASA routing table for networks on a site-to-stie VPN? I set a L2L VPN up in the lab and I am not seeing this happen. Traffic flows between the two networks correctly, but I expected to see new routes pointing at my default gateway.

Best regards,

Alan

Labels:
0 Helpful
5 Replies 5

Jouni Forss
VIP Alumni
VIP Alumni

‎10-31-2013 11:11 AM

Hi,

I am not 100% sure on how the ASA behaves (without refreshing my memory) but I think Client VPN get their IP address added as a static route always on the ASA.

If the routes are now showing up as Static (S) routers on your ASA then you can this configuration to the "crypto map" configurations for the connections you want.

crypto map set reverse-route

This should add the routes based on the VPN configurations.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

0 Helpful

Alan Herriman
Level 1
Level 1
In response to Jouni Forss

‎10-31-2013 11:22 AM

Hi Jouni,

Thanks for the quick reply. It was actually another engineer that told me I should see new static routes to VPN subnets set on the outside interface with the outside interface next hop. I want to determine for myself if this the expect behavior or if that requires some kind of reverse route injection.

From my testing so far I have not see such routes. Would you happen to know which behavior is expected or be able to point me to some documentation that would detail that?

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Alan Herriman

‎10-31-2013 11:31 AM

Hi,

Here is the Command Reference section on the command I mentioned. Its default setting is OFF

http://www.cisco.com/en/US/docs/security/asa/command-reference/c8.html#wp2478777

This quote from a document regarding RRI / Reverse Route Injection seems to confirm what I said about the VPN Client host IP routes being installed even without RRI

 Routing Table Output Before RRI is Enabled in the ASA 
 Note: Assume the VPN tunnel is established by a remote mobile user, and           192.168.105.1 is the assigned IP address by ASA.
 ASA Routing Table 
ciscoasa#show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

S    192.168.105.1 255.255.255.255 [1/0] via 172.16.1.1, outsideC    192.168.212.0 255.255.255.0 is directly connected, insi
C    172.16.1.0 255.255.255.0 is directly connected, outside
S    10.5.5.0 255.255.255.0 [1/0] via 172.16.1.1, outside
O    10.2.2.1 255.255.255.255 [110/11] via 192.168.212.3, 2:09:24, insi
O    10.1.1.1 255.255.255.255 [110/11] via 192.168.212.2, 2:09:24, insi






 Tip: Even if RRI is not configured, the static route of the connected           client is injected into the routing table of the VPN server (ASA/PIX). However,           it is not redistributed to the internal router, which runs dynamic routing           protocols, such as OSPF, EIGRP (if you run ASA 8.0).

So seems that in the case where you are running a routing protocol between the ASA and some router you would have to enable RRI for the VPN Client also.

Source:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809d07de.shtml#bef

Hope this helps

- Jouni

0 Helpful

taurusadnan
Level 1
Level 1
In response to Jouni Forss

‎10-31-2013 01:10 PM

Hi jouni:-

                   Alan is runing L2L or site-to-site vpn and RRI not working with site-to-site its purely feature of Remote access VPN. In site to site vpn both vpn site follow their own static or default route to communicate with each other.

i will be happy if you guys correct me.

Thanks a lot

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to taurusadnan

‎10-31-2013 01:22 PM

Hi,

Well the Cisco document pretty much states it

 Background Information 
Reverse Route Injection (RRI) is used to populate the routing table of       an internal router that runs Open Shortest Path First (OSPF) protocol or       Routing Information Protocol (RIP) for remote VPN Clients or LAN²LAN       sessions.

Here is also one discussion where I specifically tested this for a user

https://supportforums.cisco.com/thread/2244640?tstart=180

- Jouni

0 Helpful
Customers Also Viewed These Support Documents