Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Determining Route With Reverse Route Injection

I have an ASA 5510 that terminates multiple L2L and RA tunnels. I currently have 2 interfaces on the ASA Inside and Outside. I have a default 0 0 route configured on the outside interface to the next hop which is a FW. I currently have reverse route injection configured on the crypto map for all the L2L connections and I'm redistributing them into OSPF so that my core Router receives the routes. I now need to create a backup VPN tunnel with our Colo facility in case our MPLS goes down. I currently also have Static routes to our colo facility configured on the internal interface pointing to our core router.  My plan is to inject the route(s) to the colo into ospf with higher metric so that when the routes to  the colo are removed when the MPLS goes down the traffic traverses the VPN tunnel. I have the tunnel configured and passing traffice between 2 test hosts. Ive also tested injecting the routes with rri. Due to the fact that I currently need static route(s) to the colo configured on the ASA via the Inside interface these are getting propagated into ospf pointing to the wrong gateway. I need to remove the existing default route on the outside interface and add a default route to the inside interface so I dont need all the static routes to colo. My question is this, when I remove the default route from the outside interface where the crypto map is, how are the routes learned for the VPNs? I'm assuming the next hop for all of the rri routes is generated from the default route.  Would I need to Add a separate static route for each L2L peer?

New Member

I think that your ASA is

I think that your ASA is configured with OSPF routing protocol. If yes with the crypto map set reverse-route the ASA inject the route of the remote LAN of VPN in OSPF routing protocol

New Member

That's correct, I am running

That's correct, I am running OSPF and the routes do get redistributed into OSPF as they should. my question is if i remove the default route which is pointing to the next hop connected to the interface where the VPNs terminate how will the ASA determine the path to VPN peers and ultimately the route to  the remote vpn networks. So in my scenario if i remove the default route pointing to how how will the asa know to populate the rri routes with the next hop of

New Member

Why you use the defaut route

Why you use the defaut route to ? The router R3, Level3 Router and Level4 Internet are in OSPF area ? You can organize your ospf network as :

Catalyst 3750    OSPF area 2
ASA 5510 inside ( OSPF area 2   OSPF area 2

ASA 5510 outside ( OSPF area 4    OSPF area 4