Just wondering if this by design and if there is a way of turning this off. When a remote client connects using remote vpn access, the /32 host address from the client is automatically showing up in the ASA routing table. I have specified a /24 (vpn pool subnet) route pointing to the outside. It is still injecting the /32 host address. Is it possible to disable this?
Version 8.2.5 ED
"I have specified a /24 (vpn pool subnet) route pointing to the outside." - is this mean you added route for pool ?
please post your configuration.
Yes I have added a route for the pool. It's still showing /32 host address of the clients in the routing table. Is there a way to disable this from happening? It seems to be common on the ASAs.
Isn't required since I'm summarizing the supernets on the inside? The VPN pool is part of the supernets. So I have to add the VPN pool route outside, otherwise my inside route will be used not the default gateway.
How do I disable the reverse route injection? I don't have this turned on. You can't enable it on a dynamic VPN connection.
crypto map vpn 65535 set reverse-route
WARNING: This map entry is linked to dynamic-map: dynomap.
This attribute will be inactive!
RRI can be disabled by prefix no in front of the command
RRI to my understanding was never meant to inject a route locally on the router. If the remote access client can connect definitely there is a default route pointing to the same outside interface, we dont need a route to send traffic to that interface.
RRI to my understanding is meant for dynamically injecting a static route, so user can redistribute this new route dynamic routing table so traffic to this particular IP address would start flowing to the edge router only in the case host is connected.
or if we have same network as local IP pool on the LAN as well and we are using more specific routes to direct packets to correct directions.
So unless we are redistributing the dynamocally created route in dynamic routing table or we have the same network as IP pool for remote access client in the local network as well RRI is not the one you are looking for and you can keep it disabled in case of remote access client.
I'm running a basic Remote VPN configuration using split tunneling on an ASA 5510 in the lab. I don't have dynamic routing setup between my lab ASA and the layer 3 connected switch on the inside. There is an aggregated route pointing to the inside. I'm specifying a route outside for the VPN pool subnet which is also part of the aggregated route.
When I connect via the Cisco VPN client, my VPN client IP address is showing up in the ASA routing table as a /32, even though there is a route outside for the VPN pool subnet. This may not be a problem, but when I go to roll it out into production, there will be over 1000 /32 hosts in the ASA routing table. I would prefer this doesn't happened since it will consume more memory than it has to. I'm not using RRI as I mentioned is a simple basic RA config using split tunneling.
Can anyone confirm if this is normal behavor?
no crypto map vpn 65535 set reverse-route
Also as Mudit said its not recommanded to use same range for VPN pool which is being used on any other interface of ASA. This may cause routing issues.
Thanks... I don't have set reverse-route enabled. When I try to remove it, it wipes out my crypto-map VPN 65535 statement all together. Even if you use a completely different VPN pool subnet that's not part of the aggregated route inside or any of the interface on my LAB ASA fw, it still shows a /32 host address. Is this by design? How can you disable this? If you have 1000 VPN clients connecting, you will have 1000 /32 hosts addresses in the ASA routing table pointing back to the outside. It doesn't care that you have the VPN pool subnet route outside in there.
Try this when you get a chance and you see what I'm talking about.
I'm running version 8.2.5ED.
Here is the lab VPN config below... I'm still seeing the /32 host in the routing table on the ASA. Can you connect to your own VPN using an ASA as the endpoint? Do you get the VPN client IP address showing up as a /32 route in the routing table?
route outside 0.0.0.0 0.0.0.0 168.x.x.x
route outside 172.16.205.216 255.255.255.248 168.x.x.x
route inside 172.16.0.0 255.240.0.0 172.16.205.130
route inside 134.x.x.x 255.x.x.x 172.16.205.130 1
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynomap 10 set transform-set ESP-AES-256-SHA ESP-AES-192-SHA ESP-AES-128-SHA
crypto map vpn 65535 ipsec-isakmp dynamic dynomap
crypto map vpn interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
crypto isakmp policy 20
crypto isakmp policy 30
crypto isakmp nat-traversal 60
object-group network Split-Net
network-object 134.x.x.x 255.x.x.x
network-object 172.16.0.0 255.240.0.0
tunnel-group testvpn type remote-access
tunnel-group testvpn ipsec-attributes
access-list NoNat line 2 extended permit ip object-group Split-Net 172.16.205.216 255.255.255.248
nat (inside) 0 access-list NoNat
access-list SplitTunnel line 1 extended permit ip object-group Split-Net
group-policy DfltGrpPolicy attributes
wins-server value 134.x.x.x 134.x.x.x
dns-server value 134.x.x.x 134.x.x.x
address-pools value VPNPOOL
group-policy Split internal
group-policy Split attributes
split-tunnel-network-list value SplitTunnel