cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4856
Views
0
Helpful
11
Replies

Asa VPN routing

Phil Bradley
Level 4
Level 4

Hello all. I have an asa 5510 connected to a 3750 switch with RIP routing between the two devices. I am having issues passing the VPN subnet through rip to the 3750. I probably don't fully understand how the routing table is populated on the asa so bear with me. I notice that the routing table only gets populated with the VPN subnet when the clients connect. So for example I have 192.168.1.1/32 when client 1 connects in the asa route table. I then have static redistribution set up through rip on the asa. However, the 3750 never receives the rip update from the asa. All other routes pass between the devices fine. Any suggestions?


Sent from Cisco Technical Support Android App

1 Accepted Solution

Accepted Solutions

OK Phily great to know that all is working fine now for you!

If you want to pass the VPN POOL via RIP you need to enable RRI on the ASA, that would inject the VPN pool into the ASA's routing table, which makes the ASA see it as some static route, then you go ahead on your RIP process type "Redistribute static" The ASA would pass it along as a well known route from it's table.

Believe me, I went via same thing as you are now, some years back! it was a pain in the neck but finally got someone who helped me out with it! It took me almost 1month to get help. Everything from the VPN side seem ok but I couldn't reach my inside network. I was told to do just what i mentioned up.

As for IGPs in the network, they seem ok to configure and have them do the job for you, but if not well thought out for before implementation, you might probably shoot yourself in the leg with it down the road. For me before I could understand IGP's I had to understand the statics very well. That helped me to understand routing protocols.

I am glad you are OK.

Have a good one Phil

Ted

View solution in original post

11 Replies 11

Julio Carvajal
VIP Alumni
VIP Alumni

Hello,

Can you share the ASA Configuration?

Are you using reverse route injection?

Also share from asa

show rip database

and from the catalyst

show ip rip database

show ip route rip

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

No I am not using RRI. Do I need to use this to get these routes into RIP?

Hi Phily,

I think you'll need to redistribute your remote vpn subnet into your rip protocol or take off rip and create a static route from your ASA to your 3750 switch and switch to the ASA for the subnet.

Something like this,

route inside 192.168.100.0 255.255.255.0 192.168.100.253 ( This being the routed port or svi on your 3750) 

ip route 0.0.0.0 0.0.0.0 192.168.100.253 ( This being your ASA inside interface that could reach other part of your network)

Just some example. I hope this works for you.

Phil Bradley
Level 4
Level 4

I have tried to redistribute the VPN subnet into rip on the asa, but they will not pass. I have a static route of 0.0.0.0 0.0.0.0 on my 3750 pointing to another router that is my exit gateway. This works fine until I need to pass the VPN clients across sites to another 3750 stack. I then need to configure another static route on the remote 3750 stack pointing back to the adjacent stack connected to the asa VPN pool. I'm just trying to simply the distribution across routers without having manual static routes.



Sent from Cisco Technical Support Android App

It's pretty obvious you have your routing messed up going by your response.  You have a default route on your switch to another router. Well if you need to pass the VPN traffic what you need is a static route pointing to your ASA.

on your Switch, you need to specify your Remote VPN subnet to talk to your ASA. Also see the drawing I have attached.

ip route 10.10.20.1 255.255.255.224 192.168.100.2 (This being your remote VPN subnet on the switch point to your ASA)

On your ASA, you need to specify your entire LAN subnet which the ASA reaches

route inside 192.168.100.0 255.255.255.0 192.168.100.3 ( This being your entire LAN SUBNET pointing to the svi or routed port on your 3750)

I believe that's what you want to achieve, if not please provide a drawing of what you want, also share what Julio suggested earlier too!

Also if your network isn't that very big, I would advice you discontinue dynamic routing protocol. It makes it simple for you to read and unders what talks to what on your network with a static route.

I hope this helps.

Tedd

Phil Bradley
Level 4
Level 4

Thanks Teddy. Actually, all of my routing is working fine and as expected. I do have static routes defined for the ASA vpn's and all works well, but I was trying to clean up my routing table and let routing protocols do the work for the VPN subnets. I will upload a visio of my network so that may clear up things but here is somewhat of a diagram, lol.

ISP1---ASA1-----3750G Stack1 L2&L3(10.5.1.1)------ 3750G Stack2 L2&L3(10.5.1.2)-----ASA2------ISP2

In the above diagram the 3750's are tied together with fiber optic, (that we own), in two seperate buildings across town. Both stacks have inter-vlan routing with multiple subnets. These subnets are passed between stacks using RIP, so my 3750's are acting as my routers as well. The primary route for all clients internet is through ISP1's internet, so that is the reason for having ip route 0.0.0.0 0.0.0.0 10.5.1.1. I have two VPN paths which work fine with static routing through either ISP1 or ISP2 connection. I have defined both ASA1 and ASA2's vpn subnets on both stack1 and stack 2 using static routing which works.. I am just trying to pass the VPN pools with RIP, if possible, instead of static statements (I like having routing protocols do the work,lol).

Like I said, I don't actually have any routing problems but would like to pass the VPN pools via RIP from the ASA's to the 3750's. I do have RIP passing routes between the ASA's and 3750's with the exception of the VPN pools which are not working through RIP. I have tried redistributing the VPN subnets under RIP on the ASA's as well with no success.
Sent from Cisco Technical Support iPad App

OK Phily great to know that all is working fine now for you!

If you want to pass the VPN POOL via RIP you need to enable RRI on the ASA, that would inject the VPN pool into the ASA's routing table, which makes the ASA see it as some static route, then you go ahead on your RIP process type "Redistribute static" The ASA would pass it along as a well known route from it's table.

Believe me, I went via same thing as you are now, some years back! it was a pain in the neck but finally got someone who helped me out with it! It took me almost 1month to get help. Everything from the VPN side seem ok but I couldn't reach my inside network. I was told to do just what i mentioned up.

As for IGPs in the network, they seem ok to configure and have them do the job for you, but if not well thought out for before implementation, you might probably shoot yourself in the leg with it down the road. For me before I could understand IGP's I had to understand the statics very well. That helped me to understand routing protocols.

I am glad you are OK.

Have a good one Phil

Ted

Thanks for the info. I will try the above using rri and I'm sure it will work. Im just not that familiar with rri but I'm sure Cisco has plenty of documentation.

Sorry for all the extra details.

Sent from Cisco Technical Support iPad App

You are welcome Phil,

Try it out and please let me know the outcome. Please also rate the answer if its correct.

Have a good one.

Thanks

Tedd

RRI is exactly what I needed. Everything looks good now. Thanks!

Sent from Cisco Technical Support iPad App

Woah hoooowwhh!!!! Great to hear ya saying that !!

Another lesson learned and well understood.

Cheers mate

Teddy

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: