04-06-2018 08:06 AM - edited 03-12-2019 05:10 AM
I am looking to enable Reverse Route Injection for our AnyConnect SSL clients and clear up a few static IP routes in our environment as we expand and have routing protocols take over.
I guess to start at, I am not clear if RRI is supported for AnyConnect SSL clients? My knowledge of enabling RRI is on the Crypto Maps and I am not clear if AnyConnect SSL uses a Crypto Map (think there only used for IPSEC)? Clarification here would be very beneficial.
If RRI cannot be used for AnyConnect SSL, is the only way to inject AnyConnect SSL routes of the users is to redistribute connected routes? I haven't tried this personally yet at least, but if this is the only way, can I at least place a route map of allowed network ranges to the redistribute connected statement?
Solved! Go to Solution.
04-23-2018 12:51 AM
I think it is not working, because your prefix mask is looking exactly for 192.152.4.0/27, but the routes in the routing table are /32, so you could modify the prefix list to redistribute routes for single IPs:
prefix-list PL-VPN-NETWORKS seq 5 permit 192.152.4.0/27 ge 32
or configure a static route for the /27 network:
route outside 192.152.4.0 255.255.255.224 1.1.1.1
04-09-2018 01:47 AM
I believe RRI for anyconnect is on by default, when a client connects, a route for the /32 of the clients IP shows up in the routing table, which can then be advertised.
You may want to summarize the route, so you could configure a static route, put the network in a route map and redistribute static.
HTH
Bogdan
04-21-2018 06:26 AM
So I tried putting in a config today with no success.
I do see this entry in the routing table on the ASA:
V 192.152.4.1 255.255.255.255 connected by VPN (advertised)
I put in the following statements:
prefix-list PL-VPN-NETWORKS description USE THIS RT-map for controlling insertion of AnyConnect VPN Routes
prefix-list PL-VPN-NETWORKS seq 5 permit 192.152.4.0/27
route-map RM-VPN-RRI permit 10
match ip address prefix-list PL-VPN-NETWORKS
set metric 1200
redistribute static route-map RM-VPN-RRI
You mention putting in a static route. Can you explain this a little further? Confused on what the static route would look like (and what interface) since the route is already a /32 in the routing table.
04-23-2018 12:51 AM
I think it is not working, because your prefix mask is looking exactly for 192.152.4.0/27, but the routes in the routing table are /32, so you could modify the prefix list to redistribute routes for single IPs:
prefix-list PL-VPN-NETWORKS seq 5 permit 192.152.4.0/27 ge 32
or configure a static route for the /27 network:
route outside 192.152.4.0 255.255.255.224 1.1.1.1
04-23-2018 05:04 AM
The prefix list adjustment did the trick!
04-23-2018 06:34 AM
08-07-2018 09:21 AM
Thank you very much for the prefix-list trick. I was puzzling over this myself and this forum post came up in my Google search. It's now working fine for me!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide