Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
783
Views
0
Helpful
3
Replies

OSPF Redist of SSL Client IPs

nigell3679
Level 1
Level 1

‎05-02-2011 11:49 PM

Hi all

I'm setting up our ASA 5505 for remote access VPN and now need to insert the VPN client addresses (allocated via RADIUS) into OSPF so that they get redistributed through our network.

The configuration of the ASA is that its hairpinning because it is behind an existing router/firewall (192.168.252.254), therefore it only has an inside interface (plus one for management).

The VPN access works fine as long as I have a static route on our router/firewall pointing the VPN clients network range to the ASA.  But once I configure OSPF with a redistribute static (because VPN client addresses get added the the ASA as statics), a host route (which is fine) gets added to our firewall with a next hop of the router/firewall itself and not the ASA.


ie
VPN Client route on the ASA
S    192.168.242.75 255.255.255.255 [1/0] via 192.168.252.254, inside (not to sure if this is expected behaviour - would have thought it should be a Connected route)


VPN Client route on the Router/Firewall

192.168.242.75     192.168.252.254    UGH         0     1246    em2       (I would have expected that OSPF should have put this in with a gateway of .200)

Route in the ASA OSPF database
192.168.242.75  192.168.252.200      839         0x80000002 0x9e45 0


Hoping someone may be able to tell me whats going on and how to resolve
Any replies gratefully received.

Thanks

Labels:
0 Helpful
3 Replies 3

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎05-03-2011 01:28 AM

Nigel,

It is expected that ASA sets the next-hop of the route to whatever it has on the corresponding interface.

If you redistribute this it will just be an external type 2 route sent to next hop.

Following should work (conceptually! I have not tested this in your scenario).

Why not create a fake area on the ASA and advertise the IP addresses pool assigned to VPN users via "area X range ..." ?

It could be what you're looking for?

Marcin

0 Helpful

nigell3679
Level 1
Level 1
In response to Marcin Latosiewicz

‎05-05-2011 09:00 PM

Thanks for the reply Marcin, unfortunately it doesn't seem to have worked - infact it didn't even avertise the range.

I'm not fully familiar with ospf, but heres a snippet of the config

!
router ospf 1
network 192.168.252.0 255.255.255.0 area 0
area 0
area 2 range 192.168.242.0 255.255.255.0
log-adj-changes
!
router ospf 2
  network 192.168.242.0 255.255.255.0 area 2
area 2
log-adj-changes
!

Tried a few other options also including redistribute ospf 1 subnets route-map REDIST_RM (which had the 192.168.242.0 range in it)

Might just have to use statics but I wouldn't have though that what i'm trying to do would be that unusal?

Cheers

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to nigell3679

‎05-06-2011 08:53 AM

Nigel,

My bad.

You need to have one leg in the area to be actually able to advertise a summary.

So my suggestion will not work unless you create a (fake?) interface in that area (within one process).

The interface also needs to be up, which basically defeats the purpose of having VPN device on a stick.

I guess you're better of creating a static route at this point.

Or let me rephrase, nothing more elegant comes to mind without actually trying to simulate this behavior in the lab :{

Marcin

0 Helpful
Customers Also Viewed These Support Documents