Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2278
Views
5
Helpful
7
Replies

ASA-IOS VPN dynamic routing

Go to solution
Xavier Lloyd
Level 1
Level 1

‎05-20-2011 01:27 PM

I've seen docs that show how to configure ASA-to-ASA VPN sharing OSPF routes and for IOS-to-IOS sharing OSPF routes. Is it possible to do it from ASA-to-IOS device?

I'm supposed to set up a DMVPN across a couple remote sites and there's an ASA at one of the sites. EIGRP routes are supposed to be shared across the DMVPN (I suppose that could switch to OSPF if necessary). My plan for the ASA site was to configure a regular site-to-site VPN with the DMVPN hub and redistribute the OSPF and EIGRP routes into each other so the spokes can talk to the ASA-branch through the hub.

Is this possible or am I going to have to use static routes to/from the ASA network?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Xavier Lloyd

‎05-23-2011 01:40 PM

Xavier,

In the route-map you would need to put a match statment matching the prefixes/subnets you would like to advertise into EIGRP.

Regarding ASA, normally you wouldn't have to, but I don't see a problem with adding the RRI statements in crypto map (normally).

Regarding commands. I always point people to some self help ;-)

http://www.cisco.com/en/US/products/ps10591/products_product_indices_list.html

more specifically:

http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.html

RRI docs:

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_rev_rte_inject_ps10592_TSD_Products_Configuration_Guide_Chapter.html

EIGRP redistribution:

http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_eigrp/configuration/15-1mt/Configuring_EIGRP.html#GUID-1D5F3B6E-B89A-497A-BBC4-98C4A4E21CE7


Anyway take it step by step, start by check what the situation will be when you insert routes into routing table on hub via RRI. Then if needed - redistribute static routes into EIGRP.

Marcin

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎05-20-2011 01:52 PM

Xavier,

I have not seen it done in practice, but I don't see a theoretical problem with this solution.

That being said, using RRI and redistributing statics into your DMVPN cloud would be much more elegant solution.

Marcin

0 Helpful

Go to solution
Xavier Lloyd
Level 1
Level 1
In response to Marcin Latosiewicz

‎05-20-2011 02:18 PM

Reverse route injection? I didn't even think of that. What would that config look like though?

On the ASA I'd do:

crypto map my map 10 set reverse-route

And for the router I'd do:

crypto map mymap 10 ipsec-isakmp

reverse-route

Or do I do it inside the EIGRP processes?

Wow this is a lot easier. I'll do this as soon as I can and post an update. Thanks a lot bro.

Cheers

Xavier

0 Helpful

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Xavier Lloyd

‎05-20-2011 03:09 PM

Xavier,

RRI works on both sides independantly. If routing on ASA is what you would have expect it to (typical scenario - default route pointing through outside interface) , it's enough to do "set reverse-route static" and redistribute static (with route-map) under EIGRP process on IOS side.

What makes a difference here (even comapring ASA to IOS) is that RRI on IOS dy default oesn't insert routes unless SA is up. You need to use "static" with RRI to insert routes even if the IPsec SA is not up.

Marcin

Go to solution
Xavier Lloyd
Level 1
Level 1
In response to Marcin Latosiewicz

‎05-23-2011 07:46 AM

Marcin,

I'm not really familiar with route maps and how they work =/. I'm doing a bit of reading now but it's not really helping (gonna keep reading though). What kind of statements would I put in the route map? What is it supposed to do exactly?

So I wouldn't need to configure anything on the ASA? Still a bit confused as to what command is doing what. Can you explain it a bit farther please?

Thanks

Xavier

0 Helpful

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Xavier Lloyd

‎05-23-2011 01:40 PM

Xavier,

In the route-map you would need to put a match statment matching the prefixes/subnets you would like to advertise into EIGRP.

Regarding ASA, normally you wouldn't have to, but I don't see a problem with adding the RRI statements in crypto map (normally).

Regarding commands. I always point people to some self help ;-)

http://www.cisco.com/en/US/products/ps10591/products_product_indices_list.html

more specifically:

http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.html

RRI docs:

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_rev_rte_inject_ps10592_TSD_Products_Configuration_Guide_Chapter.html

EIGRP redistribution:

http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_eigrp/configuration/15-1mt/Configuring_EIGRP.html#GUID-1D5F3B6E-B89A-497A-BBC4-98C4A4E21CE7


Anyway take it step by step, start by check what the situation will be when you insert routes into routing table on hub via RRI. Then if needed - redistribute static routes into EIGRP.

Marcin

0 Helpful

Go to solution
Xavier Lloyd
Level 1
Level 1
In response to Marcin Latosiewicz

‎05-24-2011 07:47 AM

Hi Marcin,

I finally understand why I couldn't understand. I was trying to do something different from what you were explaining to me but I thought you were explaining what I originally wanted to do.

What I had wanted was a way to see the routes to the DMVPN spokes on the ASA and for the Spokes to see the route to the ASA as well as the networks behind the ASA. What you were telling me to do is a way to spread the static routes on the regular VPN endpoints throughout each network. Now I'm seeing though that my way would hardly have made sense because I'd need to manually code the static routes into the crypto access lists anyway so by doing the dynamic routing, I wouldn't really be gaining much.

So then on the hub, I'll have static routes to each network behind the ASA and those routes will spread to the spokes through EIGRP as external routes. Since the VPN is the default route on the ASA, all traffic not found on that network will be sent to the hub. Only thing is that I'll have to configure the crypto access-list for each DMVPN spoke on the ASA. What I really need is a way to dynamically edit the crypto access-list based on the routes I somehow get across the VPN for the spoke networks.

Thanks a lot for your help. I'll mark this as answered now.

Regards

Xavier

0 Helpful

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Xavier Lloyd

‎05-24-2011 11:49 AM

Xavier,

 What I really need is a way to dynamically edit the crypto 
access-list based on the routes I somehow get across the VPN for the 
spoke networks.

Unfortunately for IPsec to come up both sides need to agree on traffic selectors, so realistically speaking there is no way to dyamically change this.

That's why GRE and VTI technologies were introduced.

What you usually instead is to try to summarize network prefixes and use bigger subnet masks. That's not always a possibility, I know.

Marcin

0 Helpful
Customers Also Viewed These Support Documents