I'm using an ASA5520 (version 7.2(3)) with RemoteAccess VPN. Client routes are installed in the routing table with Reverse Route Injection and the redistributed with OSPF. A summary route is used to advertise all clients' IP addresses. This prevents changes to the routing tables whenever client log in or out.
RA VPN clients receive their IP addresses from a DHCP server. However, when there are no more VPN connections, the summary route is also dropped. The internal network does not have a route back to the firewall for the DHCP servers' replies. The VPN connection is denied because the firewall cannot assign an IP address to the client.
In short, is it possible to force the firewall to advertise the summary route?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...