Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Catch 22 or Misunderstanding with IPSEC and OSPF?

Hi Folks,

We're in the process of establishing a VPN tunnel to a business partner who wants us to NAT down the created tunnel translating both source and destination addresses.  We use OSPF in a single large area to manage our routing and do static routes as little as possible if at all.  I think I have a weird problem with what they are asking me to do (they're flat and statically route) but I could be wrong/confused.

Topology goes;

[Our ASA 5500] -------- [ Our 3845 Router] -------------------( CAT PICTURES (INTERNET) ) ------------  [  Their ASA they only use as a VPN endpoint ]----[SRX]

I have IPSEC configured on the 3845 router to create a tunnel to them.  I also have a static route for the address that they are exposing as NATted destination IPs for us.  I have a NAT rule on the ASA which translates packets sent to the destination and gives them the source which is the only source they'll accept from.   The tunnel interface has been raised with no shutdown, but line protocol is down because no interesting traffic has attempted to traverse it yet.  The reason no interesting traffic has attempted to traverse it, is because there is no route to it, because distributing the static route into OSPF can only happen once the tunnel interface is up and the route is active, which doesn't happen until traffic gets to it....  you get the idea.

Have I misunderstood something or can a route to a tunnel not be distributed into OSPF because until traffic is routed to the tunnel it won't raise?


Catch 22 or Misunderstanding with IPSEC and OSPF?

Can you post your config? And, optionally, some cat pictures...

CreatePlease to create content