Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Reverse Route Injection for VPN Remote Clients

Hi Everyone,

need to confirm if reverse route injection is only used for Site to site VPN?

Also say we have two sites using site to site vpn

Site A                                                         Site B

Private IP                                                   PRivate IP

172.16.x.x                                                    172.20.x.x

Now as we have site to site VPN we can either enable the NAT- T  option that will allow IP 172.16 to reach site B  as 172.16 only.

Not changing the IP.

Option 2

IF we do not enable NAT-T  and if we enable Revese route injection and we are using say protocol ospf on ASAs at site A and B.

In this case we enable RRI so that we can advertise the private route 172.16. over the internet to site B right?

Regards

MAhesh

  • VPN
1 ACCEPTED SOLUTION

Accepted Solutions

Re: Reverse Route Injection for VPN Remote Clients

Hello Manesh,

"Reverse Route Injection (RRI) is used to populate the routing table of an internal router that runs Open Shortest Path First (OSPF) protocol or Routing Information Protocol (RIP) for remote VPN Clients or LAN LAN sessions."

Source: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/107596-asa-reverseroute.html

So, RRI permits the ASA learn routing information for connected peers, and advertise it via RIP or OSPF.

NAT-T is automatically detected and used when either the local or the remote peer is behind NAT.

To answer your question:

If NAT-T is required and enabled, then it will be automatically used by the VPN peers. Then, with RRI in place, the remote networks will be added to the routing table as static routes, so they can be advertised by OSPF.

HTH.

Please rate any helpful posts.

3 REPLIES

Re: Reverse Route Injection for VPN Remote Clients

Hello Manesh,

"Reverse Route Injection (RRI) is used to populate the routing table of an internal router that runs Open Shortest Path First (OSPF) protocol or Routing Information Protocol (RIP) for remote VPN Clients or LAN LAN sessions."

Source: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/107596-asa-reverseroute.html

So, RRI permits the ASA learn routing information for connected peers, and advertise it via RIP or OSPF.

NAT-T is automatically detected and used when either the local or the remote peer is behind NAT.

To answer your question:

If NAT-T is required and enabled, then it will be automatically used by the VPN peers. Then, with RRI in place, the remote networks will be added to the routing table as static routes, so they can be advertised by OSPF.

HTH.

Please rate any helpful posts.

New Member

Reverse Route Injection for VPN Remote Clients

Many thanks

MAhesh

Reverse Route Injection for VPN Remote Clients

You are welcome

297
Views
0
Helpful
3
Replies