06-18-2010 09:21 PM
hi halijenn / experts
1) Please let me know if RRI works on Site to Site tunnel
2) I have a network behind Remote ASA 10.10.1.0 and 10.10.2.0 which needs to be distributed to another Branch ASA having S2S with Remote ASA via OSPF
3) There is a L3 Switch behind the Branch ASA and behind L3 Switch there is a Router which has default route pointing WAN Router
WAN Router
|
|
Users -> Router -> L3 Switch -> Branch ASA -> Internet -> Remote ASA (10.10.1.0 , 2.0)
Note : 10.10.1.0 AND 2.0 are already configured in the Crypto ACL at both the ends.
Users are able to reach the 10.10.2.X Network of the remote end .
Now for 10.10.2.0 static routes are already there in the router and switch which eventually points to Branch ASA however as the network grows , it is not feasible in the Router behind switch to add static routes everytime (as default route points to WAN Router) . Hence in order to learn the routes dynamically , i will add an ospf process in the Branch ASA with the following configuration . Please let me know if iam correct when i am adding RRI and other OSPF Commands in the Branch ASA.(hope i have nothing to do on Remote ASA related to RRI or OSPF ?)
I am just taking example of 1 remote host 10.10.1.4 . The inside interface of ASA leading to the users is 172.16.1.0/24
access-list redistribute standard permit host 10.10.1.4 255.255.255.255
router ospf 1
network 172.16.1.0 255.255.255.0 area 0
log-adj-changes
redistribute static subnets route-map redistribute
In addition to that , i will also be enabling the command for RRI in the crypto map of the said S2S VPN.
Please help me in figuring out if i am correct
Solved! Go to Solution.
06-20-2010 06:46 PM
Pls configure the OSPF process first on the ASA before removing the static routes. Once you have confirmed that the OSPF is configured properly and the routes are in the OSPF database, then you can remove the static routes. Static routes will always take precedence over OSPF because it has higher metric. Please keep the default route configured on the ASA.
Hope that confirms it.
06-19-2010 01:14 AM
1) Yes, RRI works for S2S tunnel using: "crypto map
3) Yes, you are absolutely correct. Nothing needs to be configured on the remote router. RRI should be configured on the branch ASA which is running OSPF, and RRI will be seen as static routes, therefore you would need to redistribute static routes into OSPF on branch ASA.
Hope that confirms it.
06-19-2010 01:05 PM
hi halijenn
thanks a ton ! i also wanted to tell u that currently OSPF is not configured in the Branch ASA and i am about to configure it . So just want to clarify if i create an OSPF Process will it hamper any of the neighbouring networks . Currently there are some static routes in the same and default route pointing towards the Remote VPN ASA. Or alternatively will the OSPF work at all as the static routes will always take the priority over OSPF . Hence do i need to
remove all the statics which are mentioned as " route inside
06-20-2010 06:46 PM
Pls configure the OSPF process first on the ASA before removing the static routes. Once you have confirmed that the OSPF is configured properly and the routes are in the OSPF database, then you can remove the static routes. Static routes will always take precedence over OSPF because it has higher metric. Please keep the default route configured on the ASA.
Hope that confirms it.
06-21-2010 12:55 AM
Thanks a ton halijenn !!!
06-21-2010 02:22 AM
You are welcome, and thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide