Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Help with OSPF RA VPN

Hello everyone!

I'm trying to use Cisco ASA 5510 with IOS 9.1(2) and I faced with one big problem: when any client connect to Remote Access VPN and receive IP address my ASA thinks that IP packets from this client should go via it's default gateway, For example, if OSPF neighbour and default gateway is 10.1.2.2/30 and IP of my cisco is 10.1.2.1/30 and client's IP is 172.16.15.223 I see this route in my routing table:

S 172.16.15.223 255.255.255.255 [1/0] via 10.1.2.2

I switched on reverse route injection, I include VPN network to OSPF advirtismets. But when I set up route summarization - I get route:

O EX 172.168.15.0 255.255.255.0 [110/30] via 10.2.2.1 xx:xx:xx vlan X

on my router, but ASA made the same route as I wrote above.

Does anybody can Help what the problem is?

My configuration is:

!

access-list redistribute standard permit 172.16.15.0 255.255.255.0

access-list filter-default-static-route remark filter static default route from OSPF Redistribution

access-list filter-default-static-route standard deny host 0.0.0.0

access-list filter-default-static-route standard permit 172.16.15.0 255.255.255.0

!

route-map vpn-routes permit 10

match ip address filter-default-static-route

!

route-map vpn-routes permit 20

match interface outside

set metric-type type-2

!

route-map redistribute-map permit 1

match ip address redistribute

!

!

router ospf 1

network 172.16.15.0 255.255.255.0 area 5

network 82.179.131.116 255.255.255.252 area 5

area 5 range 172.16.15.0 255.255.255.0

log-adj-changes

redistribute connected

redistribute static subnets route-map vpn-routes

summary-address172.16.15.0 255.255.255.0

!

!

crypto dynamic-map TEST_DYN_MAP 7 set ikev1 transform-set ESP-3DES-SHA

crypto dynamic-map TEST_DYN_MAP 7 set ikev2 ipsec-proposal 3DES

crypto dynamic-map TEST_DYN_MAP 7 set nat-t-disable

crypto dynamic-map TEST_DYN_MAP 7 set reverse-route

!

!

crypto map outside_map 65535 ipsec-isakmp dynamic TEST_DYN_MAP

crypto map outside_map interface outside

!

!

  • VPN
6 REPLIES
Silver

Help with OSPF RA VPN

O EX 172.168.15.0 255.255.255.0 [110/30] via 10.2.2.1 xx:xx:xx vlan X

typo?

New Member

Help with OSPF RA VPN

Peter Koltl wrote:

O EX 172.168.15.0 255.255.255.0 [110/30] via 10.2.2.1 xx:xx:xx vlan X

typo?

Sorry,  mean 172.16.15.0

Help with OSPF RA VPN

Hello,

So you basically see this entry on the ASA

O EX 172.168.15.0 255.255.255.0 [110/30] via 10.2.2.1 xx:xx:xx vlan X

I am seeing a weird configuration here:

router ospf 1

network 172.16.15.0 255.255.255.0 area 5

network 82.179.131.116 255.255.255.252 area 5

area 5 range 172.16.15.0 255.255.255.0

log-adj-changes

redistribute connected

redistribute static subnets route-map vpn-routes

summary-address172.16.15.0 255.255.255.0

This should look cleaner:

router ospf 1

network 82.179.131.116 255.255.255.252 area 5

redistribute connected

redistribute static subnets route-map vpn-routes

Can you test it like this?

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Help with OSPF RA VPN

Hello,

no! thi entry no on the ASA it on my router

     O EX 172.168.15.0 255.255.255.0 [110/30] via 10.2.2.1 xx:xx:xx vlan X

So, I tried already this config:

     network 82.179.131.116 255.255.255.252 area 5

     redistribute connected

     redistribute static subnets route-map vpn-routes

unfortunately - it didn't work.

Help with OSPF RA VPN

no! thi entry no on the ASA it on my router

     O EX 172.168.15.0 255.255.255.0 [110/30] via 10.2.2.1 xx:xx:xx vlan X

It all makes sense now

So, what;s the problem

I mean what are you expecting to see. The 10.2.2.1 belongs to the ASA right????

Provide us a diagram with IP addresses and what u expect to happen buddy

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: Help with OSPF RA VPN

hello,

I expect to see THIS on my router:
     O EX 172.168.15.0 255.255.255.0 [110/30] via 10.2.2.1 xx:xx:xx vlan X

or something like this, and THIS on my ASA:

     S 172.16.15.223 255.255.255.255 [1/0] via 10.1.2.1

I just realised that I wrote wrong config in ospf configuration. it should be like


    router ospf 1

     network 172.16.15.0 255.255.255.0 area 5

     network 10.1.2.0 255.255.255.252 area 5

     area 5 range 172.16.15.0 255.255.255.0

     log-adj-changes

     redistribute connected

     redistribute static subnets route-map vpn-routes

     summary-address172.16.15.0 255.255.255.0

and 10.1.2.1/30 - my cisco ASA, 10.1.2.2/30 - my cisco router

172.16.15.0/24 - network to assign addresses to users.

I don't understand why ASA tries to forward packets from/to connected clients via its default gateway but not via itself.


247
Views
0
Helpful
6
Replies
This widget could not be displayed.