cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5765
Views
0
Helpful
6
Replies

Redistributing dynamically created routes for vpn users into OSPF or EIGRP

ivanov.arseniy
Level 1
Level 1

Hello, community!

I'm working on what seems to be a simple task and i'm sad to admin but i need your help.

I have ASA5505 (running 9.0.3 software) which provides remote access to all kind of inside resources of the company where i currently work. As remote user gets connected ASA puts what seems to be a static route into routing table with /32 mask. My initial plan was to redistribute these routes into OSPF or EIGRP to send over to the core switch, but something is not right either with my plan or my implementation.

 

Let's say i decided to go with EIGRP (of course), here is what i do:

 

  • i create prefix list which would describe all possible routes for vpn users:

prefix-list VPN-USERS permit 192.168.100.0/24 ge 32

  • i create route-map to match on this prefix-list:

route-map VPN-REDIST per 10

match ip add prefix-list VPN-USERS

  • i redistribute dynamic "static" routes into EIGRP while allowing only specific prefixes

router eigrp 100

redistribute static route-map VPN-REDIST metric 10000 1000 255 1 1500

 

Well, guess what? That doesn't work. Although redistribution works for other real static routes that i have configured on ASA if i remove route-map from redistribution, these vpn routes fail to be sent over to the core switch.

Any thoughts?

Best regards, Arseniy S. Ivanov
6 Replies 6

Marcin Latosiewicz
Cisco Employee
Cisco Employee

A more efficient way (and saving amount of prefixes) is to advertise a summary route for your local IP pools. 

Try with ACL instead of prefix-list too, just in case :-)

I sort of solved the problem by creating static route on the core switch, which is more then o'k with me, it's just i wanted to know what's wrong with redistributing these /32s. :)

Best regards, Arseniy S. Ivanov

Well for starters:
https://tools.cisco.com/bugsearch/bug/CSCtg95852/?reffering_site=dumpcr

hence I suggested using ACLs ;]

just tried. negative.

 

Checking ACL

asa-vpn# show access-list VPN-CLIENTS
access-list VPN-CLIENTS; 1 elements; name hash: 0x1d86a566
access-list VPN-CLIENTS line 1 standard permit 192.168.100.0 255.255.255.0 (hitcnt=0) 0x5ab80128

 

Checkig route-map

asa-vpn# show route-map VPN_CLIENTS
route-map VPN_CLIENTS, permit, sequence 10
  Match clauses:
    ip address (access-lists): VPN-CLIENTS 
  Set clauses:

 

Checking EIGRP config

asa-vpn# show run router ei   
router eigrp 100
 eigrp router-id 192.168.6.254
 network 192.168.6.254 255.255.255.255
 redistribute static metric 100000 1000 255 1 1500 route-map VPN_CLIENTS

 

Checking EIGRP neighbors

asa-vpn# show eigrp nei
EIGRP-IPv4 neighbors for process 100
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
0   192.168.6.1             Vl16             12  00:07:57 1    200   0   1

 

Checking vpn routes

asa-vpn# show route outside 192.168.100.0              

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 78.72.13.1 to network 0.0.0.0

S    192.168.100.1 255.255.255.255 [1/0] via 78.72.13.1, outside

 

Checking EIGRP topology

asa-vpn# show eigrp topo

EIGRP-IPv4 Topology Table for AS(100)/ID(192.168.6.254)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status 

P 192.168.6.0 255.255.255.0, 1 successors, FD is 28160
        via Connected, Vlan16

 

as soon as i do:

asa-vpn(config)# route outside 192.168.100.254 255.255.255.255 78.72.13.1 
 

 

in the topology we get

asa-vpn(config)# show ei topo        

EIGRP-IPv4 Topology Table for AS(100)/ID(192.168.6.254)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status 

P 192.168.6.0 255.255.255.0, 1 successors, FD is 28160
        via Connected, Vlan16
P 192.168.100.254 255.255.255.255, 1 successors, FD is 281600
        via Rstatic (281600/0)

 

 

sure enough this route is being propagated properly:

swCore(config-router)#do show ip route ei

     192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
D EX    192.168.100.254/32 [170/281856] via 192.168.6.254, 00:01:31, Vlan16
swCore(config-router)#

 

Regarding 8.2 bug, well... i would hope this is fixed by now :)

Best regards, Arseniy S. Ivanov

It's a doc bug :-)

bkoch1
Level 1
Level 1

I used this method and it worked just fine.

 

I had turned on Reverse Route Injection for that specific VPN tunnel in order for the route to show up on the firewall, applied the router filter for one of the hosts in the crypto map, and i could now see the route on my core switch via eigrp.