07-18-2024 02:22 AM
Hello Team,
I have a network as below,
Asa peers with isp using bgp.
theres ospf for downstream and upstream routing.
there is natting on asa public interface to ftd 40.18 interface, with 4500,500 services.
Is it possible to use this FTDs 40.18 interface to peers with remote site to form a site - to - site vpn?
Your support will be appreciated.
Thank you.
Solved! Go to Solution.
07-22-2024 07:24 AM
the routes are static from the FTD perspective, correct?
so that on its process id i redistribute static? and should i extend to subnets for classless scope?
Thank you
07-22-2024 07:40 AM - edited 07-22-2024 07:42 AM
Show ip ospf database external <<- in ftd
Do that after you add
Redistrubte connected subnet
MHM
07-23-2024 03:56 AM
ftd refused to add a different p2p network to asa on the same area <<- dont get this point can you more elaborate
show ospf
check if both ospf process use same router-id or not ?
I run lab and use RRI and redistribute static subnet into ospf and it work, so it not IPsec RRI issue I think it OSPF dual process issue
MHM
07-18-2024 11:34 AM
Yes this should work as long as the peers support NAT-T
07-19-2024 02:14 AM
the 40.18 should be able to ping the asa public IP?
07-19-2024 07:50 AM
Thanks, so its possible the vpn came up.
but am not sure why vFTD does not redistribute remote networks. when i go to core sw and do show ip route "remote _ network" i get subnet not in table. why would this be, yet there is ospf between the 2?
07-18-2024 11:40 AM
Yes that can be done but what is other Peer is it FTD or router IOS XE and what is ver. of IKE?
MHM
07-19-2024 02:05 AM
the remote are different vendors: check point, FTD, Cisco ASA, Fortigates, SOphos , ios routers, others are on cloud.
07-19-2024 07:51 AM
Thanks, so its possible the vpn came up.
but am not sure why vFTD does not redistribute remote networks. when i go to core sw and do show ip route "remote _ network" i get subnet not in table. why would this be, yet there is ospf between the 2?
07-20-2024 04:56 AM
you want remote lan advertise via OSPF over IPsec s2s VPN ?
this not work you need route-based VPN for that
config tunnel and run ospf over tunnel and you can learn the remote LAN prefix via tunnel
MHM
07-21-2024 10:16 PM
whats the implication if changing the tunnels from policy based?
will i have to involve clients to change on their end?
do you have a guide to do this conversion, am using fmc for configurations.
Thank you.
07-21-2024 11:56 PM
Reverse Route Injection is enabled by default in Firepower Management Center.
Subnet/IP Address (Network) remains the default selection.
When you have selected Protected Networks as Any and observe default route traffic being dropped, disable the Reverse Route Injection under VPN> Site to Site > edit a VPN > IPsec > Enable Reverse Route Injection. Deploy the configuration changes; this will remove set reverse-route (Reverse Route Injection) from the crypto map configuration and remove the VPN-advertised reverse route that causes the reverse tunnel traffic to be dropped.
make sure reverse route injection is enabled - it is by default.. and also check if you are seeing the routes on FTD and if static is redistributed into OSPF ?
you dont have to do route based as such, but route based VPN will allow you exchange routes via the tunnel with a routing protocol... if these are clients that you have no control of, then routing / dynamic protocol may be a bit more challenging.
07-22-2024 12:15 AM
as seeing the routes on ftd as static, and redistributing into ospf process, but downstream ospf neighbor does not know about the routes.
What could be happening?
I have redistributed type 2.
07-22-2024 12:05 AM
On policy-based vpn there is also the option for "enable reverse route injection"
What does the do when checked?
Thanks.
07-22-2024 12:17 AM - edited 07-22-2024 01:11 AM
It inserts the routes in the routing for the remote subnets and allows them to be redistributed to other routing protocols...
Please check the ospf database on FTD and other devices
https://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/12151-trouble-main.html
07-22-2024 01:16 AM
ospf works okay for other networks, as well as redistribution.
But for the ipsecs, redistribution is not working as expected.
Why would this be?
opsf db, the devices are on the ospf db and the ospf neighborship.
Its confusing.
07-22-2024 01:28 AM
if its redistributing, why is the core, downstream switch not learning the ipsec routes?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide