hi halijenn / experts
1) Please let me know if RRI works on Site to Site tunnel
2) I have a network behind Remote ASA 10.10.1.0 and 10.10.2.0 which needs to be distributed to another Branch ASA having S2S with Remote ASA via OSPF
3) There is a L3 Switch behind the Branch ASA and behind L3 Switch there is a Router which has default route pointing WAN Router
Users -> Router -> L3 Switch -> Branch ASA -> Internet -> Remote ASA (10.10.1.0 , 2.0)
Note : 10.10.1.0 AND 2.0 are already configured in the Crypto ACL at both the ends.
Users are able to reach the 10.10.2.X Network of the remote end .
Now for 10.10.2.0 static routes are already there in the router and switch which eventually points to Branch ASA however as the network grows , it is not feasible in the Router behind switch to add static routes everytime (as default route points to WAN Router) . Hence in order to learn the routes dynamically , i will add an ospf process in the Branch ASA with the following configuration . Please let me know if iam correct when i am adding RRI and other OSPF Commands in the Branch ASA.(hope i have nothing to do on Remote ASA related to RRI or OSPF ?)
I am just taking example of 1 remote host 10.10.1.4 . The inside interface of ASA leading to the users is 172.16.1.0/24
access-list redistribute standard permit host 10.10.1.4 255.255.255.255
router ospf 1
network 172.16.1.0 255.255.255.0 area 0
redistribute static subnets route-map redistribute
In addition to that , i will also be enabling the command for RRI in the crypto map of the said S2S VPN.
Please help me in figuring out if i am correct
Pls configure the OSPF process first on the ASA before removing the static routes. Once you have confirmed that the OSPF is configured properly and the routes are in the OSPF database, then you can remove the static routes. Static routes will always take precedence over OSPF because it has higher metric. Please keep the default route configured on the ASA.
Hope that confirms it.