cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7132
Views
0
Helpful
5
Replies

VPN networks added to routing table ASA 5505's

Alan Herriman
Level 1
Level 1

Hello,

This is probably a very simple question to answer. Are there supposed to be routes added to the ASA routing table for networks on a site-to-stie VPN? I set a L2L VPN up in the lab and I am not seeing this happen. Traffic flows between the two networks correctly, but I expected to see new routes pointing at my default gateway.

Best regards,

Alan

5 Replies 5

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

I am not 100% sure on how the ASA behaves (without refreshing my memory) but I think Client VPN get their IP address added as a static route always on the ASA.

If the routes are now showing up as Static (S) routers on your ASA then you can this configuration to the "crypto map" configurations for the connections you want.

crypto map set reverse-route

This should add the routes based on the VPN configurations.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

Hi Jouni,

Thanks for the quick reply. It was actually another engineer that told me I should see new static routes to VPN subnets set on the outside interface with the outside interface next hop. I want to determine for myself if this the expect behavior or if that requires some kind of reverse route injection.

From my testing so far I have not see such routes. Would you happen to know which behavior is expected or be able to point me to some documentation that would detail that?

Hi,

Here is the Command Reference section on the command I mentioned. Its default setting is OFF

http://www.cisco.com/en/US/docs/security/asa/command-reference/c8.html#wp2478777

This quote from a document regarding RRI / Reverse Route Injection seems to confirm what I said about the VPN Client host IP routes being installed even without RRI

Routing Table Output Before RRI is Enabled in the ASA

Note: Assume the VPN tunnel is established by a remote mobile user, and           192.168.105.1 is the assigned IP address by ASA.

ASA Routing Table

ciscoasa#show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

S    192.168.105.1 255.255.255.255 [1/0] via 172.16.1.1, outsideC    192.168.212.0 255.255.255.0 is directly connected, insi
C    172.16.1.0 255.255.255.0 is directly connected, outside
S    10.5.5.0 255.255.255.0 [1/0] via 172.16.1.1, outside
O    10.2.2.1 255.255.255.255 [110/11] via 192.168.212.3, 2:09:24, insi
O    10.1.1.1 255.255.255.255 [110/11] via 192.168.212.2, 2:09:24, insi

Tip: Even if RRI is not configured, the static route of the connected           client is injected into the routing table of the VPN server (ASA/PIX). However,           it is not redistributed to the internal router, which runs dynamic routing           protocols, such as OSPF, EIGRP (if you run ASA 8.0).

So seems that in the case where you are running a routing protocol between the ASA and some router you would have to enable RRI for the VPN Client also.

Source:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809d07de.shtml#bef

Hope this helps

- Jouni

Hi jouni:-

                   Alan is runing L2L or site-to-site vpn and RRI not working with site-to-site its purely feature of Remote access VPN. In site to site vpn both vpn site follow their own static or default route to communicate with each other.

i will be happy if you guys correct me.

Thanks a lot

Hi,

Well the Cisco document pretty much states it

Background Information

Reverse Route Injection (RRI) is used to populate the routing table of       an internal router that runs Open Shortest Path First (OSPF) protocol or       Routing Information Protocol (RIP) for remote VPN Clients or LAN²LAN       sessions.

Here is also one discussion where I specifically tested this for a user

https://supportforums.cisco.com/thread/2244640?tstart=180

- Jouni