ASA5510 Reverse Route Injection

Unanswered Question
Dec 31st, 2009

ASA version 8.2

I ran the IPsec wizard on my 5510 for remote access.  It would seem that by default ISAKMP is enabled on both the inside and outside interfaces.  Furthermore, my default dynamic crypto map is enabled on both the inside and outside interfaces.  I would like to enable RRI for pools of addresses assigned to my remote workers.  Right now I have static routes - I'd ideally like RRI and redistribution.  Enabling RRI fails due to the fact that the dynamic mapping exists on multiple interfaces.  When I try to delete the map from the inside interface, it deletes the outside map as well.  So my questions are these:

1.  Should I have ISAKMP enabled on my inside interface if I'm terminating my VPN tunnels on the outside interface?

2.  Is having ISAKMP enabled on the inside interface the reason why deleting the dynamic crypto map on the inside interface also deletes it from the outside interface? (this occurs in the ASDM, haven't tried it on the CLI).

I can concede that I may have to configure this manually on the CLI as opposed to wizards due to the advanced configuration to enable RRI.  Any thoughts/suggestions would be appreciated.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Scott Pickles Thu, 12/31/2009 - 17:40

I couldn't wait - I disabled ISAKMP and the dynamic map on the inside interface.  I was able to configure RRI on the outside interface.  I see the static entry on the ASA for the reverse route, but it doesn't appear in the EIGRP topology table.  And without it showing up in the topology table, it's not being advertised to neighbors.  Now what?


loizosko Thu, 11/18/2010 - 21:03

i configured RRI on my asa for a site to site vpn tunnel. however when the tunnel is down the route is still advertised to the network therefore preventing it from going via our altrenative path.

does anybody know how to stop redistributing a remote subnet when the tunnel is down?

apothula Fri, 11/19/2010 - 00:43


You could use SLA monitoring to help your purpose for L2L VPN's.

Instead of using RRI, you could configure a static route to the remote network via your primary link and a back route to the remote network via your back link.

Configure SLA tracking on the primary route. This should bring your back up route up if the VPN tunnel is down.

Be sure to ping a host in the remote private network for the SLA tracking,

type echo protocol ipIcmpEcho interface outside being a device in the remote network at the other end of the VPN tunnel.

Let me know if you have any questions.



loizosko Fri, 11/19/2010 - 05:32

this might be a problem since the remote host will respond to icmp going via the backup link.

apothula Fri, 11/19/2010 - 05:56

The backup link would not have the same ingress interface as the Primary link. Would it ?

If so we got a problem.



loizosko Fri, 11/19/2010 - 06:00

the backup link will be from the inside interface. coming off lets say mpls network or another vpn device.

the primary link will be from vpn.

i don't think you can specify a route just to go from a vpn, can you?

apothula Fri, 11/19/2010 - 07:06

Consider this set up,

                   X                                                                                                         Y

MPLS---Inside Network---- ASA---Outside/Internet---VPN Tunnel---- ASA/Router----Remote Site network

To get to the Remote site via the VPN tunnel, you obviously need to take the default route.

So, you could add a route to the remote site Network with the internet gateway on the ASA as the next hop.

Something like,

route outside , being the internet gateway on the ASA.




This Discussion