Solved: Re: Reg. distributing the dynamic routes via S2S VPN

ankurs2008 · ‎06-18-2010

hi halijenn / experts

1) Please let me know if RRI works on Site to Site tunnel

2) I have a network behind Remote ASA 10.10.1.0 and 10.10.2.0 which needs to be distributed to another Branch ASA having S2S with Remote ASA via OSPF

3) There is a L3 Switch behind the Branch ASA and behind L3 Switch there is a Router which has default route pointing WAN Router

        WAN Router
               |
               |
Users -> Router -> L3 Switch -> Branch ASA -> Internet -> Remote ASA (10.10.1.0 , 2.0)

Note : 10.10.1.0 AND 2.0 are already configured in the Crypto ACL at both the ends.

Users are able to reach the 10.10.2.X Network of the remote end .

Now for 10.10.2.0 static routes are already there in the router and switch which eventually points to Branch ASA however as the network grows , it is not feasible in the Router behind switch to add static routes everytime (as default route points to WAN Router) . Hence in order to learn the routes dynamically , i will add an ospf process in the Branch ASA with the following configuration . Please let me know if iam correct when i am adding RRI and other OSPF Commands in the Branch ASA.(hope i have nothing to do on Remote ASA related to RRI or OSPF ?)

I am just taking example of 1 remote host 10.10.1.4 . The inside interface of ASA leading to the users is 172.16.1.0/24

access-list redistribute standard permit host 10.10.1.4 255.255.255.255

router ospf 1
network 172.16.1.0 255.255.255.0 area 0
log-adj-changes
redistribute static subnets route-map redistribute

In addition to that , i will also be enabling the command for RRI in the crypto map of the said S2S VPN.

Please help me in figuring out if i am correct

Jennifer Halim · ‎06-20-2010

Pls configure the OSPF process first on the ASA before removing the static routes. Once you have confirmed that the OSPF is configured properly and the routes are in the OSPF database, then you can remove the static routes. Static routes will always take precedence over OSPF because it has higher metric. Please keep the default route configured on the ASA.

Hope that confirms it.

View solution in original post

Jennifer Halim · ‎06-19-2010

1) Yes, RRI works for S2S tunnel using: "crypto map set reverse-route" on the branch ASA for the crypto map towards the remote ASA connection.

3) Yes, you are absolutely correct. Nothing needs to be configured on the remote router. RRI should be configured on the branch ASA which is running OSPF, and RRI will be seen as static routes, therefore you would need to redistribute static routes into OSPF on branch ASA.

Hope that confirms it.

ankurs2008 · ‎06-19-2010

hi halijenn

thanks a ton ! i also wanted to tell u that currently OSPF is not configured in the Branch ASA and i am about to configure it . So just want to clarify if i create an OSPF Process will it hamper any of the neighbouring networks . Currently there are some static routes in the same and default route pointing towards the Remote VPN ASA. Or alternatively will the OSPF work at all as the static routes will always take the priority over OSPF . Hence do i need to

remove all the statics which are mentioned as " route inside 192.168.1.30 in the Branch ASA , considering that downstream switch IP is 192.168.1.30 . What i exactly want is that current n/w flow should not be disturbed and the route for Remote ASA should be injected in this as well . Please let me know your expert opinion .

Jennifer Halim · ‎06-20-2010

Pls configure the OSPF process first on the ASA before removing the static routes. Once you have confirmed that the OSPF is configured properly and the routes are in the OSPF database, then you can remove the static routes. Static routes will always take precedence over OSPF because it has higher metric. Please keep the default route configured on the ASA.

Hope that confirms it.

ankurs2008 · ‎06-21-2010

Thanks a ton halijenn !!!

Jennifer Halim · ‎06-21-2010

You are welcome, and thanks.