Anyconnect makes static routes with a mask of 32 bits

Sergey Prishchepa · ‎11-26-2015

Hello!

We use AnyConnect VPN and have a problem. When esteblishing connection ASA makes a static route for client PC with a mask of 32 bits. How to disable it or make a large mask?

Richard Bradfield · ‎11-26-2015

As far as I am aware that is the way it works. The AnyConnect client gets an IP address from the ASA and as it is a host it has a 32 bit mask. What are you trying to acheive?

Sergey Prishchepa · ‎11-27-2015

Yes, a clients receive IP address with a mask of 32 bits, and the ASA create a static route in the routing table, example, "S 192.168.33.64 255.255.255.255 [1/0] via 1.1.1.1, outside".

We use and Cisco VPN, it also creates static route for each PC, but these routes are not redistributed over EIGRP.

Richard Bradfield · ‎11-27-2015

What I do is have a static route for 192.168.33.0 255.255.255.0 on the internal switch connected to the ASA pointing to the ASA, and redistribute the static in EIGRP

Sergey Prishchepa · ‎11-30-2015

I have a static route for 192.168.33.0 255.255.255.0 on the ASA and redistribute it, but when set vpn the ASA create a static route with a mask of 32 bit and redistribute it.

It looks like it can only be solved filters.

lamodadotru · ‎10-20-2016

Hello, Sergey.

You can redisribute your vpn pool aggregated routes from ASA itself using route-map to filter unwanted /32 routes

Look at this config:

prefix-list pref-static-to-eigrp1 seq 5 permit 192.168.33.0/24

route-map rm-static-to-eigrp1 permit 10
match ip address prefix-list pref-static-to-eigrp1

router eigrp 1
eigrp stub redistributed !!! Only announce redistributed routes
network 192.168.1.1 255.255.255.255 !!! Inside link
redistribute static route-map rm-static-to-eigrp1 !!! Allow only route 192.168.33.0/24 to be redistributed