RA VPN Routing Question

johng231 · ‎02-10-2012

Hello -

Just wondering if this by design and if there is a way of turning this off. When a remote client connects using remote vpn access, the /32 host address from the client is automatically showing up in the ASA routing table. I have specified a /24 (vpn pool subnet) route pointing to the outside. It is still injecting the /32 host address. Is it possible to disable this?

Version 8.2.5 ED

Thanks -

John

ajay chauhan · ‎02-10-2012

"I have specified a /24 (vpn pool subnet) route pointing to the outside." - is this mean you added route for pool ?

please post your configuration.

Thanks

Ajay

johng231 · ‎02-10-2012

Yes I have added a route for the pool. It's still showing /32 host address of the clients in the routing table. Is there a way to disable this from happening? It seems to be common on the ASAs.

ajay chauhan · ‎02-10-2012

Frist route addition is not required for VPN pool.

Disable the reverse route injection that will resolve.

johng231 · ‎02-10-2012

Isn't required since I'm summarizing the supernets on the inside? The VPN pool is part of the supernets. So I have to add the VPN pool route outside, otherwise my inside route will be used not the default gateway.

How do I disable the reverse route injection? I don't have this turned on. You can't enable it on a dynamic VPN connection.

crypto map vpn 65535 set reverse-route

WARNING: This map entry is linked to dynamic-map: dynomap.

This attribute will be inactive!

Varinder Singh · ‎02-10-2012

RRI can be disabled by prefix no in front of the command

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809d07de.shtml

Varinder

Regards, Varinder P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users

mudjain · ‎02-11-2012

RRI to my understanding was never meant to inject a route locally on the router. If the remote access client can connect definitely there is a default route pointing to the same outside interface, we dont need a route to send traffic to that interface.

RRI to my understanding is meant for dynamically injecting a static route, so user can redistribute this new route dynamic routing table so traffic to this particular IP address would start flowing to the edge router only in the case host is connected.

or if we have same network as local IP pool on the LAN as well and we are using more specific routes to direct packets to correct directions.

So unless we are redistributing the dynamocally created route in dynamic routing table or we have the same network as IP pool for remote access client in the local network as well RRI is not the one you are looking for and you can keep it disabled in case of remote access client.

johng231 · ‎02-11-2012

I'm running a basic Remote VPN configuration using split tunneling on an ASA 5510 in the lab. I don't have dynamic routing setup between my lab ASA and the layer 3 connected switch on the inside. There is an aggregated route pointing to the inside. I'm specifying a route outside for the VPN pool subnet which is also part of the aggregated route.

When I connect via the Cisco VPN client, my VPN client IP address is showing up in the ASA routing table as a /32, even though there is a route outside for the VPN pool subnet. This may not be a problem, but when I go to roll it out into production, there will be over 1000 /32 hosts in the ASA routing table. I would prefer this doesn't happened since it will consume more memory than it has to. I'm not using RRI as I mentioned is a simple basic RA config using split tunneling.

Can anyone confirm if this is normal behavor?

ajay chauhan · ‎02-11-2012

no crypto map vpn 65535 set reverse-route

&

Also as Mudit said its not recommanded to use same range for VPN pool which is being used on any other interface of ASA. This may cause routing issues.

Thanks

Ajay

johng231 · ‎02-12-2012

Thanks... I don't have set reverse-route enabled. When I try to remove it, it wipes out my crypto-map VPN 65535 statement all together. Even if you use a completely different VPN pool subnet that's not part of the aggregated route inside or any of the interface on my LAB ASA fw, it still shows a /32 host address. Is this by design? How can you disable this? If you have 1000 VPN clients connecting, you will have 1000 /32 hosts addresses in the ASA routing table pointing back to the outside. It doesn't care that you have the VPN pool subnet route outside in there.

Try this when you get a chance and you see what I'm talking about.

I'm running version 8.2.5ED.

mudjain · ‎02-12-2012

please share config..

johng231 · ‎02-12-2012

Here is the lab VPN config below... I'm still seeing the /32 host in the routing table on the ASA. Can you connect to your own VPN using an ASA as the endpoint? Do you get the VPN client IP address showing up as a /32 route in the routing table?

route outside 0.0.0.0 0.0.0.0 168.x.x.x

route outside 172.16.205.216 255.255.255.248 168.x.x.x

route inside 172.16.0.0 255.240.0.0 172.16.205.130

route inside 134.x.x.x 255.x.x.x 172.16.205.130 1

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dynomap 10 set transform-set ESP-AES-256-SHA ESP-AES-192-SHA ESP-AES-128-SHA

crypto map vpn 65535 ipsec-isakmp dynamic dynomap

crypto map vpn interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 60

object-group network Split-Net

network-object 134.x.x.x 255.x.x.x

network-object 172.16.0.0 255.240.0.0

tunnel-group testvpn type remote-access

tunnel-group testvpn ipsec-attributes

pre-shared-key *****

access-list NoNat line 2 extended permit ip object-group Split-Net 172.16.205.216 255.255.255.248

nat (inside) 0 access-list NoNat

access-list SplitTunnel line 1 extended permit ip object-group Split-Net

group-policy DfltGrpPolicy attributes

wins-server value 134.x.x.x 134.x.x.x

dns-server value 134.x.x.x 134.x.x.x

vpn-tunnel-protocol IPSec

address-pools value VPNPOOL

group-policy Split internal

group-policy Split attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SplitTunnel