Route Summarisation with EIGRP

KB ID 0001149

Problem

I’ve already written a post that lets you calculate a route summarisation. So now you have a method of advertising your routes more efficiently, what do you do with it? Well I’m at the EIGRP point in my studies so here’s how to implement it with EIGRP.

To demonstrate I’ve built the above network on GNS3, there is a loopback interface on the routers for each of those networks.

Solution

I’ve already setup EIGRP, and importantly disabled auto-summarisation* If we take a look at the routing table on the North router we can see the routes being learned from the South router;

*Note: If this exercise is about summarisation, why have I disable auto-summarisation? Well if I didn’t the routers would see all the remote subnets as 10.0.0.0/8 and nothing would work!

And you will see the ‘opposite’ in the routing table on the South router;

And just to prove it’s not all smoke and mirrors, here’s the current EIGRP config on both routers;

Now you actually apply the route summarisation on the network interface that the routes are getting advertised through (even through the IP of that network may not be in the networks you are summarising). This may seem a little odd that it’s not done in the ‘router eigrp {system number}’ part of the config. My routers both connect to each other with their GigiabitEthernet1/0 interface.

Firstly, perform your route summarisation, and you should come up with 10.0.0.0/14 for the North router and 10.4.0.0/14 on th South router.

Apply the route summarisation on the GE1/0 interface;

[box]

interface GigabitEthernet1/0
ip summary-address eigrp 90 10.0.0.0 255.252.0.0

[/box]

If you are wondering /14 is 255.252.0.0, I struggle to remember converting short and long notation subnets, that’s why I’ve got an IP subnet aide memoir.

Now configure the South router;

[box]

interface GigabitEthernet1/0
ip summary-address eigrp 90 10.4.0.0 255.252.0.0

[/box]

Now if you look on the routing tables of both routers, you will see the routes have been summarised.

Why is the summarised route listed twice? And why does one route point to Null0?

Well to get your head round this, you need to understand that ‘a more specific route always wins‘, e.g. traffic coming from the 10.1.0.0 subnet behind router North that is arriving at router South will have a subnet of /16 (or /32), which is more specific than the /14 summarised route. OK, but Null0 drops the traffic? So lets say all the remote networks in the North Site ‘Go Down’. The South, route now only has the 10.0.0.0/14 route left, so it would drop the traffic, which is good as those subnets are all down.

Related Articles, References, Credits, or External Links

Network Summarisation – Exam Technique and Examples

Cisco Router IOS – Configuring EIGRP

IP (v4) Networking Crib Sheet

Cisco ASA – Reverse Route Injection with EIGRP

KB ID 0001137 

Problem

I’ve followed your Reverse Route Injection article and its not working? This email dropped in my mailbox a while back As it turns out the article I had written was for OSPF, and this chap was using EIGRP. So I ran it up with EIGRP as well to test.

Heres my topology, I want to inject the route for the remote site, into my internal EIGRP routing table.

Solution

Assuming EIGRP is already setup between the ASA and the LAN (i.e. Core Switch).

[box]

ASA

Petes-ASA# show run router
!
router eigrp 20
 no auto-summary
 network 10.1.0.0 255.255.0.0
 passive-interface default
 no passive-interface inside
 redistribute static
!

Switch

Core-SW#show run | sec router
router eigrp 20
 network 10.1.0.0 0.0.255.255
 network 10.2.0.0 0.0.255.255
 network 10.3.0.0 0.0.255.255
 no auto-summary

[/box]

Also assuming you already have a site to site VPN established and working.

[box]

Petes-ASA# show cry isakmp 

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 192.168.249.254
    Type    : L2L             Role    : responder 
    Rekey   : no              State   : MM_ACTIVE 


Petes-ASA# show cry ipsec sa
interface: outside
    Crypto map tag: CRYPTO-MAP, seq num: 1, local addr: 192.168.253.254

      access-list VPN-INTERESTING-TRAFIC extended permit ip 10.1.0.0 255.255.0.0 10.250.0.0 255.255.0.0 
      local ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.250.0.0/255.255.0.0/0/0)
      current_peer: 192.168.249.254

      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

[/box]

Show the Cryptomap, then add the RRI.

[box]

Petes-ASA# show run crypto   
crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-aes-256 esp-sha-hmac 
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFIC
crypto map CRYPTO-MAP 1 set pfs 
crypto map CRYPTO-MAP 1 set peer 192.168.249.254 
crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400


Petes-ASA# configure terminal 
Petes-ASA(config)# crypto map CRYPTO-MAP 1 set reverse-route
Petes-ASA(config)#

[/box]

Create a ‘Prefix-List’ for the routes to inject (i.e the remote LAN at the other end of the VPN tunnel).

[box]

Petes-ASA(config)# prefix-list PL-VPN-ROUTES description Route-Map For Injecting Remote VPN Routes
Petes-ASA(config)# prefix-list PL-VPN-ROUTES seq 5 permit 10.250.0.0/16

[/box]

Create a ‘route-map’ to inject your prefix-list.

[box]

Petes-ASA(config)# route-map RM-VPN-ROUTES permit 10
Petes-ASA(config-route-map)# match ip address prefix-list PL-VPN-ROUTE 
Petes-ASA(config-route-map)# set metric 1200
Petes-ASA(config-route-map)# exit
Petes-ASA(config)# route-map RM-VPN-ROUTES deny 100

[/box]

With the tunnel up check your internal routing table;

Update: As pointed out by Steve Housego

You’ve missed the route-map off the re-distribute command,

router eigrp 20
redistribute static route-map RM-VPN-ROUTES

[box]

Core-SW#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.1.1.1 to network 0.0.0.0

     10.0.0.0/16 is subnetted, 4 subnets
C       10.2.0.0 is directly connected, GigabitEthernet2/0
C       10.3.0.0 is directly connected, GigabitEthernet3/0
C       10.1.0.0 is directly connected, GigabitEthernet1/0
D EX    10.250.0.0 [170/28416] via 10.1.1.1, 00:00:02, GigabitEthernet1/0
D*EX 0.0.0.0/0 [170/28416] via 10.1.1.1, 00:00:02, GigabitEthernet1/0

[/box]

Related Articles, References, Credits, or External Links

Cisco ASA – Reverse Route Injection with OSPF

Cisco Router IOS – Configuring EIGRP

KB ID 0000929 

Problem

For the first time in about ten years I had to deal with EIGRP last week, so I thought I would run it up in a lab. Normally I would use GNS3 but for this procedure I’ll use Cisco Packet Tracer.</p<

In fact I’ll include the files so you can download and use the lab yourself, (if you have a copy of Packet Tracer). And I’ll also include the configs for all the routers.

In the lab I’ve got three sites connected via serial connections, and one of those sites has the Internet connection.

As you can see I’ve used VLSM to split up the 192.168.0.0/24 subnet to create the six networks I need, (three on the sites, and three for the links).

Solution

1. I will start at the beginning with Router R1 in site 1. As you can see I’m going to give the FastEthernet 0/0 interface to the inside network (192.168.0.1/28). I will use Serial 3/0 to connect to Site 2 (192.168.64.2/30), and Serial 2/0 to connect to Site 1 (192.168.68.1/30). I will mirror these three settings around the network (going clockwise) and I will configure all the Serial 2/0 interfaces to set the clock speed for the serial links.

[box]

R1>enable
R1#configure terminal
R1(config)#interface FastEthernet0/0
R1(config-if)#ip address 192.168.0.1 255.255.255.240
R1(config-if)#no shutdown
R1(config-if)#interface Serial2/0
R1(config-if)#ip address 192.168.68.1 255.255.255.252
R1(config-if)#clock rate 64000
R1(config-if)#no shutdown
R1(config-if)#interface Serial3/0
R1(config-if)#ip address 192.168.64.2 255.255.255.252
R1(config-if)#no shutdown
R1(config-if)#end
R1#

[/box]

2. I will replicate those settings on the Routers R2, an R3 (Note: At this point I will not configure the Internet link, I’ll do that later).

[box]

Router 2

R2>enable
R2#configure terminal
R2(config)#interface FastEthernet0/0
R2(config-if)#ip address 192.168.16.1 255.255.255.240
R2(config-if)#no shutdown
R2(config-if)#interface Serial2/0
R2(config-if)#ip address 192.168.64.1 255.255.255.252
R2(config-if)#clock rate 64000
R2(config-if)#no shutdown
R2(config-if)#interface Serial3/0
R2(config-if)#ip address 192.168.72.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#end
R2#

Router 3

R3>enable
R3#configure terminal
R3(config)#interface FastEthernet0/0
R3(config-if)#ip address 192.168.32.1 255.255.255.240
R3(config-if)#no shutdown
R3(config-if)#interface Serial2/0
R3(config-if)#ip address 192.168.72.1 255.255.255.252
R3(config-if)#clock rate 64000
R3(config-if)#no shutdown
R3(config-if)#interface Serial3/0
R3(config-if)#ip address 192.168.68.2 255.255.255.252
R3(config-if)#no shutdown
R3(config-if)#end
R3#

[/box]

4. Configuring EIGRP:

Now I need to enable EIGRP, with an

href=”http://www.petenetlive.com/KB/Article/TechTerms#AS”>AS

number of 1, then I am adding all the networks that I want this router to advertise (don’t forget to add the subnet that connects each router to its neighbour). When enabled EIGRP will send routing updates onto each of these networks. As you can see from the diagram, this would mean that the router would send routing information onto the LAN. While this wont cause any problems, it does generate traffic that does not need to be on the LAN, so I’ve disabled that by using a passive-interface* command.

*Note: If you have a lot of interfaces you want to be passive, you can ‘swap the logic’ by using passive-interface default and then setting all the interfaces you want to advertise networks out of, as no passive-interface.

I’ve also disabled auto-summary of networks, I’ve seen other pages and blogs that incorrectly say this makes the EIGRP routing protocol classless. EIGRP is classless out of the box! At a basic level network-summary is the process of advertising one route for many networks. This works best for contiguous networks (i.e. 192.168.1.x, 192.168.2.x, etc). But if you let EIGRP auto-summarise for you, then this happens,

Above you can see it has added three more routes to networks that (at the moment) don’t exist, which is fine, but then you can NOT use those subnets in the future. If you did and this router saw that traffic it would send it to Null0 (i.e. drop the traffic). With auto-summary disabled, the routers routing table is a lot cleaner (see below).

The last thing you will notice is that the subnet masks are a little strange, you need to use wildcard masks, these are easy to work out, just subtract each octet of the subnet mask from 255 like so;

[box]

R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#router eigrp 1
R1(config-router)#passive-interface FastEthernet0/0 
R1(config-router)#network 192.168.0.0 0.0.0.15
R1(config-router)#network 192.168.64.0 0.0.0.3
R1(config-router)#network 192.168.68.0 0.0.0.3
R1(config-router)#no auto-summary
R1(config-router)#end
R1#

[/box]

5. Repeat the process for routers R2 an R3.

[box]

Router 2

R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#router eigrp 1
R2(config-router)#passive-interface FastEthernet0/0 
R2(config-router)#network 192.168.16.0 0.0.0.15
R2(config-router)#network 192.168.64.0 0.0.0.3
R2(config-router)#network 192.168.72.0 0.0.0.3
R2(config-router)#no auto-summary
R2(config-router)#end
R2#

Router 3

R3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#router eigrp 1
R3(config-router)#passive-interface FastEthernet0/0 
R3(config-router)#network 192.168.32.0 0.0.0.15
R3(config-router)#network 192.168.72.0 0.0.0.3
R3(config-router)#network 192.168.68.0 0.0.0.3
R3(config-router)#no auto-summary
R3(config-router)#end
R3#

[/box]

6. EIGRP Adding a Route to the Internet

To add in the networks ‘route out’, I need to bring up and configure another interface on router R3 (FastEthernet4/0). Then I will configure that as the default route (GOLR) for that router, and add that new network into the advertised routes.

To get all the other routers to use the static route I’ve just configured on this router, I use the redistribute static command (while in config-router mode).

[box]

R3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#interface FastEthernet4/0
R3(config-if)#ip address 123.123.123.1 255.255.255.252
R3(config-if)#no shutdown
R3(config-if)#ip route 0.0.0.0 0.0.0.0 123.123.123.2
R3(config)#router eigrp 1
R3(config-router)#network 123.123.123.120 0.0.0.3
R3(config-router)#redistribute static
R3(config-router)#end
R3#

[/box]

7. Then I will add the ISP (Internet Router). I will also add this to the EIGRP AS group (though I could just use static routing.)

Note: In the lab I don’t have a link to the Internet so I’ll simply use the Loopback interface on the Internet router and give that the 4.2.2.2 IP address.

As a final ‘belt and braces’ approach, I will add a summary route back to the LAN. If you are unsure how to calculate a summary route, simply write your subnets out in binary, and the mask will be the the length from the first to the last bit, that all the subnets have in common, like so;

Summarisation for these networks will be 192.168.0.0/17 (255.255.128.0)

[box]

Internet>enable
Internet#configure terminal
Internet(config)#interface FastEthernet4/0
Internet(config-if)#ip address 123.123.123.2 255.255.255.252
Internet(config-if)#no shutdown
Internet(config-if)#Loopback0
Internet(config-if)#ip address 4.2.2.2 255.255.255.0
Internet(config-if)#no shutdown
Internet(config-if)#router eigrp 1
Internet(config-router)#passive-interface Loopback0
Internet(config-router)#network 123.123.123.0 0.0.0.3
Internet(config-router)#no auto-summary
Internet(config-router)#ip route 0.0.0.0 0.0.0.0 Loopback0 
Internet(config)#ip route 192.168.0.0 255.255.128.0 FastEthernet4/0 
Internet(config)#

[/box]

Troubleshooting EIGRP

To perform basic troubleshooting use the following commands;

[box]

show ip protocols 

[/box]

[box]

show ip route 

[/box]

[box]

show ip eigrp neighbours

[/box]

[box]

show eigrp ip topology 

[/box]

Related Articles, References, Credits, or External Links

Download the EIGRP Lab

Cisco – Configuring Dynamic Multipoint Virtual Private Networks DMVPN

KB ID 0000954

Problem

A while back I uploaded a run through on how to deploy GRE tunnels and protect those tunnels with IPsec. That point-to-point GRE tunnel is a good solution, but if you have a lot of sites it’s not a solution that scales very well. Yes you can have 2147483647 tunnel interfaces, but good luck manually configuring all those tunnels and even if you did, if you want each of your remote sites to talk to each other you have all those tunnels to configure as well.

To address that we have DMVPN, rather than a point-to-point GRE tunnel it uses multipoint GRE that can have more than two endpoints. In fact it acts like a ‘network overlay’ that joins all the sites together. It is typically deployed in a hub-and-spoke configuration where one router (the hub) sits at the center and each remote site (spoke) joins the multipoint GRE, tunnels back to the hub. The magic part is, if one spoke needs to speak to another spoke, this is done by building a dynamic tunnel between them ‘on the fly’.

Below is the the network topology I’m going to use;

Note: If you use GNS3 heres the topology and configs for all the routers.

I have a main site that will be the ‘Hub Site’ and at that site MainSiteRTR will be the NHS router. The remaining three hub sites will act as ‘spokes’, so my ‘network overlay’ will be 192.168.1.0/24.

Solution

Configure DMVPN Hub (NHS) Router

Before I start, all the sites are pre-configured as per figure1 above, all the routers can see each other via EIGRP.

1. To begin the setup looks very much like a standard GRE tunnel, but we define a source but no destination (we don’t need to, because we specify tunnel mode gre multipoint). There are two commands for the NHRP setup, ‘ip nhrp map multicast dynamic‘ lets EIGRP information propagate to the ‘spokes’. And ‘ip nhrp network-id 1’ creates a group ID for the DMVPN group. All the spokes will need to share this ID to form tunnels with this NHS Router.<.p>

[box]

MainSiteRTR#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
MainSiteRTR(config)#interface Tunnel0
MainSiteRTR(config-if)# ip address 192.168.0.1 255.255.255.0
MainSiteRTR(config-if)# ip nhrp map multicast dynamic
MainSiteRTR(config-if)# ip nhrp network-id 1
MainSiteRTR(config-if)# tunnel source 1.1.1.1
MainSiteRTR(config-if)# tunnel mode gre multipoint
*Mar 1 00:02:31.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
MainSiteRTR(config-if)#exit
*Mar 1 00:02:41.635: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
MainSiteRTR(config)#

[/box]

Configure the Branch ‘Spoke’ Routers

2. There are a few differences here, first ‘ip nhrp map 192.168.0.1 1.1.1.1’ tells the branch router to map the 192.168.0.2 private IP permanently to the 1.1.1.1 public address. ‘ip nhrp map multicast 1.1.1.1’ tells the router to relay ALL its multicast traffic back to the hub router. ‘ip nhrp nhs 192.168.0.1’ tells the spoke router where the hub router is.

[box]

Branch1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Branch1(config)#interface Tunnel0
Branch1(config-if)# ip address 192.168.0.2 255.255.255.0
Branch1(config-if)# ip nhrp map 192.168.0.1 1.1.1.1
Branch1(config-if)# ip nhrp map multicast 1.1.1.1
Branch1(config-if)# ip nhrp network-id 1
Branch1(config-if)# ip nhrp nhs 192.168.0.1
Branch1(config-if)# tunnel source 2.2.2.1
Branch1(config-if)# tunnel mode gre multipoint
*Mar 1 00:07:28.403: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
Branch1(config-if)#exit
*Mar 1 00:07:38.387: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
Branch1(config)#

[/box]

3. Then configure each branch router the same, (apart from the tunnel source and the endpoint IP).

[box]

Branch 2 Router Config

Branch2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Branch2(config)#interface Tunnel0
Branch2(config-if)# ip address 192.168.0.3 255.255.255.0
Branch2(config-if)# ip nhrp map 192.168.0.1 1.1.1.1
Branch2(config-if)# ip nhrp map multicast 1.1.1.1
Branch2(config-if)# ip nhrp network-id 1
Branch2(config-if)# ip nhrp nhs 192.168.0.1
Branch2(config-if)# tunnel source 3.3.3.1
Branch2(config-if)# tunnel mode gre multipoint
Branch2(config-if)# exit
*Mar 1 00:09:32.631: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
Branch2(config)#

Branch 3 Router Config

Branch3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Branch3(config)#interface Tunnel0
Branch3(config-if)# ip address 192.168.0.4 255.255.255.0
Branch3(config-if)# ip nhrp map 192.168.0.1 1.1.1.1
Branch3(config-if)# ip nhrp map multicast 1.1.1.1
Branch3(config-if)# ip nhrp network-id 1
Branch3(config-if)# ip nhrp nhs 192.168.0.1
Branch3(config-if)# tunnel source 4.4.4.1
Branch3(config-if)# tunnel mode gre multipoint
Branch3(config-if)# exit
*Mar 1 00:11:05.259: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
Branch3(config)#
*Mar 1 00:11:15.247: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
Branch3(config)#

[/box]

Verifying and Testing the DMVPN Setup

4. On the main site;

[box]

MainSiteRTR#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer

Tunnel0, Type:Hub, NHRP Peers:3,
 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1         2.2.2.1     192.168.0.2    UP    never D
     1         3.3.3.1     192.168.0.3    UP    never D
     1         4.4.4.1     192.168.0.4    UP    never D

[/box]

5. On a branch site (Note: There is only one tunnel to the Main Site);

[box]

Branch1#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer

Tunnel0, Type:Spoke, NHRP Peers:1,
 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1         1.1.1.1     192.168.0.1    UP 00:08:24 S

[/box]

6. But if from the same branch site you ping another branch site, it will dynamically build a tunnel to that site also. (Note: The S denotes static, and the D denotes dynamic).

[box]

Branch1#ping 192.168.0.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/60/108 ms

Branch1#show dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer

Tunnel0, Type:Spoke, NHRP Peers:2,
 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1         1.1.1.1     192.168.0.1    UP 00:08:52 S
     1         4.4.4.1     192.168.0.4    UP    never D

[/box]

Protect and Encrypt the Tunnel(s) with IPSEC

7. BE AWARE the traffic traveling over these tunnels is still being sent in cleartext, it’s simply been ‘encapsulated’ with GRE. To rectify that we can protect the tunnels with IPSEC.

[box]

MainSiteRTR#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
MainSiteRTR(config)#crypto isakmp policy 10
MainSiteRTR(config-isakmp)# authentication pre-share
MainSiteRTR(config-isakmp)# encryption aes
MainSiteRTR(config-isakmp)# group 2
MainSiteRTR(config-isakmp)# hash sha
MainSiteRTR(config-isakmp)# crypto isakmp key Sh@reds3cret address 2.2.2.1
MainSiteRTR(config)# crypto isakmp key Sh@reds3cret address 3.3.3.1
MainSiteRTR(config)# crypto isakmp key Sh@reds3cret address 4.4.4.1
MainSiteRTR(config)# crypto ipsec transform-set TFS-PNL esp-aes esp-sha-hmac
MainSiteRTR(cfg-crypto-trans)# crypto ipsec profile PF-PNL
MainSiteRTR(ipsec-profile)# set transform-set TFS-PNL
MainSiteRTR(ipsec-profile)# interface Tunnel0
MainSiteRTR(config-if)# tunnel protection ipsec profile PF-PNL
*Mar 1 00:25:34.055: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
MainSiteRTR(config-if)# exit
MainSiteRTR(config)#

[/box]

8. Then simply repeat on the branch routers, the only difference is the peer addresses.

[box]

Branch 1 Router Config

Branch1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Branch1(config)#crypto isakmp policy 10
Branch1(config-isakmp)# authentication pre-share
Branch1(config-isakmp)# encryption aes
Branch1(config-isakmp)# group 2
Branch1(config-isakmp)# hash sha
Branch1(config-isakmp)#crypto isakmp key Sh@reds3cret address 1.1.1.1
Branch1(config)#crypto isakmp key Sh@reds3cret address 3.3.3.1
Branch1(config)#crypto isakmp key Sh@reds3cret address 4.4.4.1
Branch1(config)#crypto ipsec transform-set TFS-PNL esp-aes esp-sha-hmac
Branch1(cfg-crypto-trans)#crypto ipsec profile PF-PNL
Branch1(ipsec-profile)# set transform-set TFS-PNL
Branch1(ipsec-profile)#interface Tunnel0
Branch1(config-if)# tunnel protection ipsec profile PF-PNL
Branch1(config-if)#exit
Branch1(config)#
*Mar 1 00:36:47.179: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Branch1(config)#

Branch 2 Router Config

Branch2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Branch2(config)#crypto isakmp policy 10
Branch2(config-isakmp)# authentication pre-share
Branch2(config-isakmp)# encryption aes
Branch2(config-isakmp)# group 2
Branch2(config-isakmp)# hash sha
Branch2(config-isakmp)#crypto isakmp key Sh@reds3cret address 1.1.1.1
Branch2(config)#crypto isakmp key Sh@reds3cret address 2.2.2.1
Branch2(config)#crypto isakmp key Sh@reds3cret address 4.4.4.1
Branch2(config)#crypto ipsec transform-set TFS-PNL esp-aes esp-sha-hmac
Branch2(cfg-crypto-trans)#crypto ipsec profile PF-PNL
Branch2(ipsec-profile)# set transform-set TFS-PNL
Branch2(ipsec-profile)#interface Tunnel0
Branch2(config-if)# tunnel protection ipsec profile PF-PNL
Branch2(config-if)#exit
Branch2(config)#
*Mar 1 00:37:57.239: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Branch2(config)#

Branch 3 Router Config

Branch3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Branch3(config)#crypto isakmp policy 10
Branch3(config-isakmp)# authentication pre-share
Branch3(config-isakmp)# encryption aes
Branch3(config-isakmp)# group 2
Branch3(config-isakmp)# hash sha
Branch3(config-isakmp)#crypto isakmp key Sh@reds3cret address 1.1.1.1
Branch3(config)#crypto isakmp key Sh@reds3cret address 2.2.2.1
Branch3(config)#crypto isakmp key Sh@reds3cret address 3.3.3.1
Branch3(config)#crypto ipsec transform-set TFS-PNL esp-aes esp-sha-hmac
Branch3(cfg-crypto-trans)#crypto ipsec profile PF-PNL
Branch3(ipsec-profile)# set transform-set TFS-PNL
Branch3(ipsec-profile)#interface Tunnel0
Branch3(config-if)# tunnel protection ipsec profile PF-PNL
*Mar 1 00:39:10.515: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Branch3(config-if)#exit

[/box]

9. To test re-establish the tunnels, and this time you can see they are protected;

[box]

MainSiteRTR#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
1.1.1.1         3.3.3.1         QM_IDLE           1002    0 ACTIVE
1.1.1.1         4.4.4.1         QM_IDLE           1003    0 ACTIVE
1.1.1.1         2.2.2.1         QM_IDLE           1001    0 ACTIVE

[/box]

Download the DMVPN labs and have a play

Related Articles, References, Credits, or External Links

Cisco Simple GRE Tunnels (With IPSEC)

Implementing GDOI into DMVPN

KB ID 0000956 

Problem

Just recently I covered DMVPN, which is a great scalable system for adding new sites to your network infrastructure and have them join an existing VPN solution without the need to add extra config at the ‘hub’ site.

One of the advantages of DMVPN is it maintains VPN connections from your ‘Spoke’ sites back to the ‘Hub’ site, but if a spoke site needs to speak to another spoke site, it will dynamically build a VPN tunnel to that spoke site.

That’s great right? Well it’s pretty cool, but there is a downside. There is a slight ‘lag’ while that dynamic VPN is established, for normal network traffic you probably wont even notice, but if you are sending streaming media, or voice traffic then it becomes more of a problem.

So if we had a system where all the routers have all the same settings, the hub router wouldn’t need to ‘broker’ the initial connection and the routers get all their VPN settings from a central ‘Server’. Well that’s what GDOI gives us, we set up a router as a central ‘Key Server’ and all the other GDOI ‘Group Members’ register with the key server, and get all their settings.

So I’ll use the same network that I built the DMVPN on, I’ve added another router that will be the ‘Key Server’, other than that the topology is the same.

Note: The GDOI Key Server, cannot run on the DMVPN hub router.

Solution

GDOI Key Server Setup

1. Firstly setup the requirements for ISAKMP phase 1. Note: here I’m using pre-shared keys, this does not scale well if you have a lot of sites, you might want to look at a PKI solution and use certificates instead.

[box]

crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key P@ssword123 address 0.0.0.0 0.0.0.0

EXAMPLE

KS#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
KS(config)#crypto isakmp policy 10
KS(config-isakmp)#encr aes
KS(config-isakmp)#authentication pre-share
KS(config-isakmp)#group 2
KS(config-isakmp)#crypto isakmp key P@ssword123 address 0.0.0.0 0.0.0.0
KS(config)#

[/box]

2. Then setup IPSEC phase 2 requirements. With a transform-set and a profile.

[box]

crypto ipsec transform-set TS-GDOI esp-aes esp-sha-hmac

crypto ipsec profile PF-GDOI
set transform-set TS-GDOI

EXAMPLE

KS(config)#crypto ipsec transform-set TS-GDOI esp-aes esp-sha-hmac
KS(cfg-crypto-trans)#crypto ipsec profile PF-GDOI
KS(ipsec-profile)#set transform-set TS-GDOI
KS(ipsec-profile)#

[/box]

3. The Key server will use its certificate for authentication, if you DO have a PKI solution and this router has already enrolled to it then you can skip this step. If not you need to generate a LOCAL certificate on the key server. (Note: This requires the device to have a hostname and domain name set).

[box]

ip domain-name testbench.local
crypto key generate rsa modulus 2048

EXAMPLE

KS(config)#ip domain-name testbench.local
KS(config)#crypto key generate rsa modulus 2048

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
*Mar 1 00:17:13.591: %SSH-5-ENABLED: SSH 1.99 has been enabled
KS(config)#

[/box]

4. To setup the key server, create a group (GDOI-VPN) and give it an identity number,all members of the group will share this number. It used the profile we created above, and will apply encryption based on ACL 123 (we will create in a minute). Finally it sets the IP that it will be used as the key servers (this is the IP in use on FastEthernet 0/0).

[box]

crypto gdoi group GDOI-DMVPN
identity number 999
server local
rekey retransmit 10 number 2
rekey authentication mypubkey rsa rsa
rekey transport unicast
sa ipsec 10
profile PF-GDOI
match address ipv4 123
replay counter window-size 64
address ipv4 5.5.5.2

EXAMPLE

KS(config)#crypto gdoi group GDOI-DMVPN
KS(config-gdoi-group)#identity number 999
KS(config-gdoi-group)#server local
KS(gdoi-local-server)# rekey retransmit 10 number 2
KS(gdoi-local-server)# rekey authentication mypubkey rsa rsa
KS(gdoi-local-server)# rekey transport unicast
KS(gdoi-local-server)# sa ipsec 10
KS(gdoi-sa-ipsec)# profile PF-GDOI
KS(gdoi-sa-ipsec)# match address ipv4 123
KS(gdoi-sa-ipsec)# replay counter window-size 64
KS(gdoi-sa-ipsec)# address ipv4 5.5.5.2
KS(gdoi-local-server)#

[/box]

5. Create the ACL we specified above, this ACL will get downloaded to all the group members. As will the VPN profile, they will then apply that profile to traffic defined in the ACL. It’s an ‘interesting traffic ACL, (if you are used to working with VPN’s).

[box]

access-list 123 permit gre any any

EXAMPLE

KS(config)#access-list 123 permit gre any any
KS(config)#

[/box]

Setup GDOI Group Members

Note: These settings are the same for the DMVPN hub router and all the spoke routers.

6. As above we specify a matching phase 1 policy.

[box]

crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key P@ssword123 address 0.0.0.0 0.0.0.0

EXAMPLE

Branch1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Branch1(config)#crypto isakmp policy 10
Branch1(config-isakmp)#encr aes
Branch1(config-isakmp)#authentication pre-share
Branch1(config-isakmp)#group 2
Branch1(config-isakmp)#crypto isakmp key P@ssword123 address 0.0.0.0 0.0.0.0
Branch1(config)#

[/box]

7. Then join the router to the GDOI group.

[box]

crypto gdoi group GDOI-DMVPN
identity number 999
server address ipv4 5.5.5.2

EXAMPLE

Branch1(config)#crypto gdoi group GDOI-DMVPN
Branch1(config-gdoi-group)#identity number 999
Branch1(config-gdoi-group)#server address ipv4 5.5.5.2
Branch1(config-gdoi-group)#exit

[/box]

8. Then use that group to create a ‘crypto map’, and apply that map to the public interface that ‘faces outwards’. Note: Normally when applying encryption to DMVPN you would apply your crypto to the tunnel interface, with GDOI you do NOT.

[box]

crypto map CM-GDOI 10 gdoi
set group GDOI-DMVPN
interface FastEthernet0/0
crypto map CM-GDOI

EXAMPLE

Branch1(config)#crypto map CM-GDOI 10 gdoi
% NOTE: This new crypto map will remain disabled until a valid
group has been configured.
Branch1(config-crypto-map)#set group GDOI-DMVPN
Branch1(config-crypto-map)#interface FastEthernet0/0
Branch1(config-if)#crypto map CM-GDOI
*Mar 1 05:11:31.546: %CRYPTO-5-GM_REGSTER: Start registration to KS 5.5.5.2 for group GDOI-DMVPN using address 2.2.2.1
*Mar 1 05:11:31.582: %CRYPTO-6-GDOI_ON_OFF: GDOI is ON

[/box]

9. Now I could add a route to my DMVPN network, with a static statement (i.e. ip route 192.168.0.0 0.0.255.255 Tunnel0), but I’m using EIGRP anyway, so I can just advertise the DMVPN network into my EIGRP group.

[box]

router eigrp 20
network 192.168.0.0

EXAMPLE

Branch1(config)#router eigrp 20
Branch1(config-router)#network 192.168.0.0
Branch1(config-router)#exit
Branch1(config)#

[/box]

Testing GDOI

[box]

Branch1#show crypto session
Crypto session current status

Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: port 848
IKE SA: local 2.2.2.1/848 remote 5.5.5.2/848 Active
IPSEC FLOW: permit 47 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map

Branch1#

Branch1#show crypto gdoi
GROUP INFORMATION

    Group Name               : GDOI-DMVPN
    Group Identity           : 999
    Rekeys received          : 0
    IPSec SA Direction       : Both
    Active Group Server      : 5.5.5.2
    Group Server list        : 5.5.5.2

    GM Reregisters in        : 2042 secs
    Rekey Received           : never


    Rekeys received
         Cumulative          : 0
         After registration  : 0

 ACL Downloaded From KS 5.5.5.2:
   access-list  permit gre any any

TEK POLICY for the current KS-Policy ACEs Downloaded:
  FastEthernet0/0:
    IPsec SA:
        spi: 0x93842CD3(2474912979)
        transform: esp-aes esp-sha-hmac
        sa timing:remaining key lifetime (sec): (2197)
        Anti-Replay : Disabled

[/box]

Complete GDOI with DMVPN Configs

Below I’ll show the configs, with the GDOI config highlighted in Red and the DMVPN config highlighted in blue.

[box]

GDOI Key Server Config

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname KS
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
no ip domain lookup
!
multilink bundle-name authenticated
!
archive
log config
hidekeys
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key P@ssword123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set TS-GDOI esp-aes esp-sha-hmac 
!
crypto ipsec profile PF-GDOI
set transform-set TS-GDOI
!
crypto gdoi group GDOI-DMVPN
identity number 999
server local
rekey retransmit 10 number 2
rekey authentication mypubkey rsa rsa
rekey transport unicast
sa ipsec 10
profile PF-GDOI
match address ipv4 123
replay counter window-size 64
address ipv4 5.5.5.2
!
ip tcp synwait-time 5
!
interface FastEthernet0/0
ip address 5.5.5.2 255.255.255.252
speed auto
half-duplex
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
router eigrp 20
network 5.5.5.0 0.0.0.3
no auto-summary
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
access-list 123 permit gre any any
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
end

[/box]

DMVPN Hub Server Config

[box]


version 12.4 
service timestamps debug datetime msec 
service timestamps log datetime msec 
no service password-encryption 
! 
hostname MainSiteRTR
! 
boot-start-marker 
boot-end-marker 
! 
no aaa new-model 
memory-size iomem 5 
no ip icmp rate-limit unreachable 
ip cef ! no ip domain lookup 
! 
multilink bundle-name authenticated 
! 
archive 
log config 
hidekeys 
! 
crypto isakmp policy 10 
encr aes 
authentication pre-share 
group 2 
crypto isakmp key P@ssword123 address 0.0.0.0 0.0.0.0
 
!
crypto gdoi group GDOI-DMVPN 
identity number 999 
server address ipv4 5.5.5.2 
!
crypto map CM-GDOI 10 gdoi 
set group GDOI-DMVPN 
! 
ip tcp synwait-time 5 
!
interface Tunnel0 
ip address 192.168.0.1 255.255.255.0 
no ip redirects 
ip nhrp map multicast dynamic 
ip nhrp network-id 1 tunnel source 1.1.1.1 
tunnel mode gre multipoint 
! 
interface FastEthernet0/0 
ip address 172.16.1.1 255.255.0.0 
duplex auto 
speed auto 
! 
interface FastEthernet0/1 
ip address 1.1.1.1 255.255.255.252 
duplex auto 
speed auto 
crypto map CM-GDOI 
! 
interface FastEthernet1/0 
ip address 5.5.5.1 255.255.255.252 
duplex auto 
speed auto 
! 
router eigrp 20 
network 1.1.1.0 0.0.0.3 
network 5.5.5.0 0.0.0.3 
network 172.16.1.0 0.0.0.255 
network 192.168.0.0 
no auto-summary 
! 
ip forward-protocol nd 
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 
! 
no ip http server 
no ip http secure-server 
! 
no cdp log mismatch duplex 
! 
control-plane 
! 
line con 0 
exec-timeout 0 0 
privilege level 15 
logging synchronous 
line aux 0 
exec-timeout 0 0 
privilege level 15 
logging synchronous 
line vty 0 4 
login 
! 
end 

Branch (Spoke) Routers 

version 12.4 
service timestamps debug datetime msec 
service timestamps log datetime msec 
no service password-encryption 
! 
hostname Branch1 
! 
boot-start-marker 
boot-end-marker 
! 
no aaa new-model
memory-size iomem 5 
no ip icmp rate-limit unreachable 
ip cef 
! 
no ip domain lookup 
! 
multilink bundle-name authenticated 
! 
archive log 
config hidekeys 
! 
 crypto isakmp policy 10 
encr aes 
authentication pre-share 
group 2 
crypto isakmp key P@ssword123 address 0.0.0.0 0.0.0.0 
!
 crypto gdoi group GDOI-DMVPN 
identity number 999 
server address ipv4 5.5.5.2 
!
 crypto map CM-GDOI 10 gdoi 
set group GDOI-DMVPN 
! 
ip tcp synwait-time 5 
!
 interface Tunnel0 ip address 192.168.0.2 255.255.255.0 
no ip redirects 
ip nhrp map 192.168.0.1 1.1.1.1 
ip nhrp map multicast 1.1.1.1 
ip nhrp network-id 1 
ip nhrp nhs 192.168.0.1 tunnel source 2.2.2.1 
tunnel mode gre multipoint 
! 
interface FastEthernet0/0 
ip address 2.2.2.1 255.255.255.252 
duplex auto 
speed auto 
crypto map CM-GDOI 
! 
interface FastEthernet0/1
ip address 172.17.1.1 255.255.0.0
duplex auto 
speed auto 
! 
router eigrp 20 
network 2.2.2.0 0.0.0.3 
network 172.17.0.0 
network 192.168.0.0
 no auto-summary 
! 
ip forward-protocol nd 
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 
! 
no ip http server 
no ip http secure-server 
! 
control-plane
! 
line con 0 
exec-timeout 0 0 
privilege level 15 
logging synchronous 
line aux 0 
exec-timeout 0 0 
privilege level 15 
logging synchronous 
line vty 0 4 
login 
! 
end

[/box]

Related Articles, References, Credits, or External Links

Cisco – Configuring Dynamic Multipoint Virtual Private Networks DMVPN

Using OSPF over DMVPN

Cisco ASA 5505 Routing Between Two (Internal) VLANS

KB ID 0000869 

Problem

I had to set this up for a client this week, I’ve setup a DMZ on a 5505 before and I’ve setup other VLANs to do other jobs, e.g. visitor Internet access. But this client needed a secondary VLAN setting up for IP Phones. In addition I needed to route traffic between both the internal VLANs.

I did an internet search and tried to find some configs I could reverse engineer, the few I found were old (Pre version 8.3) ones and the little info I got were more people in forums asking why theirs did not work. So I built a firewall with 8.2 code, then worked out how to do it, then upgraded the firewall to version 9.1. Finally I picked out the relevant parts of the upgraded config.

Here’s the scenario I’m going to use for this example.

Solution

Before we start, yes I know the ASA is a firewall not a router! A better solution would be to have either a router behind the firewall or, (as is more common) a switch that is layer 3 capable, i.e it can route.

Your ASA MUST have a Security Plus licence to be able to do this. Check your license version.

The commands you use will be different if your firewall is running an operating system earlier than 8.3, check your ASA version and proceed to the correct set of commands.

For Firewalls running an Operating System OLDER than 8.3 go here

How to Setup VLAN Routing on an ASA 5505 (Version 8.3 and Newer)

1. Connect to the firewall, go to enable mode, then go to configure terminal mode.

[box]


User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)#

[/box]

2. As in the diagram (above) I have three VLANs, VLAN 0 is outside and will be connected to Ethernet 0/0. VLAN 1 is inside and will be connected to Ethernet 0/1. VLAN 112 is for my phones and will be connected to Ethernet 0/2. Here I setup the IP addresses, and add the VLANs to the physical interfaces.

Note: I don’t need to Add VLAN 1 to Ethernet 0/1, because all ports are in VLAN 1 by default.

[box]

Petes-ASA(config)# interface Ethernet0/0
Petes-ASA(config-if)# switchport access vlan 2
Petes-ASA(config-if)# interface Ethernet0/2
Petes-ASA(config-if)# switchport access vlan 112
Petes-ASA(config-if)# interface Vlan1
Petes-ASA(config-if)# nameif inside
Petes-ASA(config-if)# security-level 100
Petes-ASA(config-if)# ip address 192.168.12.254 255.255.255.0 
Petes-ASA(config-if)# interface Vlan2
Petes-ASA(config-if)# nameif outside
Petes-ASA(config-if)# security-level 0
Petes-ASA(config-if)# ip address 123.123.123.123 255.255.255.248 
Petes-ASA(config-if)# interface Vlan112
Petes-ASA(config-if)# nameif PHONE_VLAN_112
Petes-ASA(config-if)# security-level 100
Petes-ASA(config-if)# ip address 192.168.112.254 255.255.255.0

[/box]

3. To get traffic working to the internet you will need to specify a ‘route’ to your outside router.

[box]

Petes-ASA(config)# route outside 0.0.0.0 0.0.0.0 123.123.123.124

[/box]

4. Turn on ‘Hair Pinning’ (the ability to route traffic back out of the same interface it came in through) and allow traffic to pass between interfaces.

[box]

Petes-ASA(config)# same-security-traffic permit inter-interface
Petes-ASA(config)# same-security-traffic permit intra-interface

[/box]

5. Out of the box, if you have not configured any access-lists then you can skip this step, as traffic will flow from a more secure interface (the inside and the phone one) to a less secure interface (the outside one). Here I’m going to use an ACL and allow all traffic anyway.

[box]

 Petes-ASA(config)# access-list VLAN112_outbound extended permit ip 192.168.112.0 255.255.255.0 any 
Petes-ASA(config)# access-list outbound extended permit ip 192.168.12.0 255.255.255.0 any
Petes-ASA(config)# access-group outbound in interface inside
Petes-ASA(config)# access-group VLAN112_outbound in interface PHONE_VLAN_112 

[/box]

6. Now setup ‘dynamic’ NAT so that all traffic leaving both the inside VLAN and the Phone VLAN network get NATTED to the public IP address.

[box]

Petes-ASA(config)# object network obj_any
Petes-ASA(config-network-object)# subnet 0.0.0.0 0.0.0.0
Petes-ASA(config-network-object)# nat (inside,outside) dynamic interface
Petes-ASA(config-network-object)# object network obj_any-01
Petes-ASA(config-network-object)# subnet 0.0.0.0 0.0.0.0
Petes-ASA(config-network-object)# nat (PHONE_VLAN_112,outside) dynamic interface

[/box]

7. Now setup ‘static’ NAT so that traffic travelling between the inside VLAN and the phone VLAN does NOT get NATTED.

[box]

Petes-ASA(config)# object network obj-192.168.12.0
Petes-ASA(config-network-object)# subnet 192.168.12.0 255.255.255.0
Petes-ASA(config-network-object)# nat (inside,PHONE_VLAN_112) static 192.168.112.0
Petes-ASA(config-network-object)# object network obj-192.168.112.0
Petes-ASA(config-network-object)# subnet 192.168.112.0 255.255.255.0
Petes-ASA(config-network-object)# nat (PHONE_VLAN_112,inside) static 192.168.112.0

[/box]

8. Enable routing, and set the MTU for all three VLANs.

[box]

Petes-ASA(config)# router eigrp 500
Petes-ASA(config-router)# network 192.168.12.0 255.255.255.0
Petes-ASA(config-router)# network 192.168.112.0 255.255.255.0
Petes-ASA(config-router)# passive-interface outside
Petes-ASA(config-router)# exit
Petes-ASA(config)# mtu inside 1500
Petes-ASA(config)# mtu outside 1500
Petes-ASA(config)# mtu PHONE_VLAN_112 1500

[/box]

9. Save the changes, and give it a test.

[box]

Petes-ASA(config)# write memory
Building configuration...
Cryptochecksum: aab5e5a2 c707770d f7350728 d9ac34de
[OK]
Petes-ASA(config)#

[/box]

 

Full Config for you to Copy and Paste;

[box]

interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 112
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.12.254 255.255.255.0 
!
interface Vlan2
nameif outside
security-level 0
ip address 123.123.123.123 255.255.255.248 
!
interface Vlan112
nameif PHONE_VLAN_112
security-level 100
ip address 192.168.112.254 255.255.255.0 
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
access-list VLAN112_outbound extended permit ip 192.168.112.0 255.255.255.0 any 
access-list outbound extended permit ip 192.168.12.0 255.255.255.0 any 
!
object network obj-192.168.12.0
subnet 192.168.12.0 255.255.255.0
nat (inside,PHONE_VLAN_112) static 192.168.112.0
object network obj-192.168.112.0
subnet 192.168.112.0 255.255.255.0
nat (PHONE_VLAN_112,inside) static 192.168.112.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
nat (PHONE_VLAN_112,outside) dynamic interface
!
mtu inside 1500
mtu outside 1500
mtu PHONE_VLAN_112 1500
!
access-group outbound in interface inside
access-group VLAN112_outbound in interface PHONE_VLAN_112
!
router eigrp 500
network 192.168.12.0 255.255.255.0
network 192.168.112.0 255.255.255.0
passive-interface outside
!
route outside 0.0.0.0 0.0.0.0 123.123.123.124

[/box]

 

How to Setup VLAN Routing on an ASA 5505 (Pre Version 8.3)

1. Connect to the firewall, go to enable mode, then go to configure terminal mode.

[box]


User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)#

[/box]

2. 2. As in the diagram (above) I have three VLANs, VLAN 0 is outside and will be connected to Ethernet 0/0. VLAN 1 is inside and will be connected to Ethernet 0/1. VLAN 112 is for my phones and will be connected to Ethernet 0/2. Here I setup the IP addresses, and add the VLANs to the physical interfaces.

Note: I don’t need to Add VLAN 1 to Ethernet 0/1 because all ports are in VLAN 1 by default.

[box]

Petes-ASA(config)# interface Ethernet0/0
Petes-ASA(config-if)# switchport access vlan 2
Petes-ASA(config-if)# interface Ethernet0/2
Petes-ASA(config-if)# switchport access vlan 112
Petes-ASA(config-if)# interface Vlan1
Petes-ASA(config-if)# nameif inside
Petes-ASA(config-if)# security-level 100
Petes-ASA(config-if)# ip address 192.168.12.254 255.255.255.0 
Petes-ASA(config-if)# interface Vlan2
Petes-ASA(config-if)# nameif outside
Petes-ASA(config-if)# security-level 0
Petes-ASA(config-if)# ip address 123.123.123.123 255.255.255.248 
Petes-ASA(config-if)# interface Vlan112
Petes-ASA(config-if)# nameif PHONE_VLAN_112
Petes-ASA(config-if)# security-level 100
Petes-ASA(config-if)# ip address 192.168.112.254 255.255.255.0

[/box]

3. To get traffic working to the internet you will need to specify a ‘route’ to your outside router.

[box]

Petes-ASA(config)# route outside 0.0.0.0 0.0.0.0 123.123.123.124

[/box]

4. Turn on ‘Hair Pinning’ (the ability to route traffic back out of the same interface it came in through). and allow traffic to pass between interfaces.

[box]

Petes-ASA(config)# same-security-traffic permit inter-interface
Petes-ASA(config)# same-security-traffic permit intra-interface

[/box]

5. Out of the box, if you have not configured any access-lists then you can skip this step, as traffic will flow from a more secure interface (the inside and the phone one) to a less secure interface (the outside one). Here I’m going to use an ACL and allow all traffic anyway.

[box]

Petes-ASA(config)# access-list VLAN112_outbound extended permit ip 192.168.112.0 255.255.255.0 any 
Petes-ASA(config)# access-list outbound extended permit ip 192.168.12.0 255.255.255.0 any
Petes-ASA(config)# access-group outbound in interface inside
Petes-ASA(config)# access-group VLAN112_outbound in interface PHONE_VLAN_112

[/box]

6. Enable NAT so that all traffic leaving both the inside VLAN and the Phone VLAN network get NATTED to the public IP address.

[box]

Petes-ASA(config)# global (outside) 1 interface
Petes-ASA(config)# nat (inside) 1 0.0.0.0 0.0.0.0
Petes-ASA(config)# nat (PHONE_VLAN_112) 1 0.0.0.0 0.0.0.0

[/box]

7. Now setup ‘static’ NAT so that traffic travelling between the inside VLAN and the phone VLAN does NOT get NATTED.

[box]

Petes-ASA(config)# static (inside,PHONE_VLAN_112) 192.168.112.0 192.168.12.0 netmask 255.255.255.0 
Petes-ASA(config)# static (PHONE_VLAN_112,inside) 192.168.112.0 192.168.112.0 netmask 255.255.255.0

[/box]

8. Enable routing, and set the MTU for all three VLANs.

[box]

Petes-ASA(config)# router eigrp 500
Petes-ASA(config-router)# network 192.168.12.0 255.255.255.0
Petes-ASA(config-router)# network 192.168.112.0 255.255.255.0
Petes-ASA(config-router)# passive-interface outside
Petes-ASA(config-router)# exit
Petes-ASA(config)# mtu inside 1500
Petes-ASA(config)# mtu outside 1500
Petes-ASA(config)# mtu PHONE_VLAN_112 1500

[/box]

9. Save the changes, and give it a test.

[box]

Petes-ASA(config)# write memory
Building configuration...
Cryptochecksum: aab5e5a2 c707770d f7350728 d9ac34de
[OK]
Petes-ASA(config)#

[/box]

 

Full Config for you to Copy and Paste;

[box]

interface Vlan1
nameif inside
security-level 100
ip address 192.168.12.254 255.255.255.0 
!
interface Vlan2
nameif outside
security-level 0
ip address 123.123.123.123 255.255.255.248 
!
interface Vlan112
nameif PHONE_VLAN_112
security-level 100
ip address 192.168.112.254 255.255.255.0 
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 112
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
access-list VLAN112_outbound extended permit ip 192.168.112.0 255.255.255.0 any 
access-list outbound extended permit ip 192.168.12.0 255.255.255.0 any 
! 
mtu inside 1500
mtu outside 1500
mtu PHONE_VLAN_112 1500
!
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (PHONE_VLAN_112) 1 0.0.0.0 0.0.0.0
!
static (inside,PHONE_VLAN_112) 192.168.112.0 192.168.12.0 netmask 255.255.255.0 
static (PHONE_VLAN_112,inside) 192.168.112.0 192.168.112.0 netmask 255.255.255.0
!
access-group outbound in interface inside
access-group VLAN112_outbound in interface PHONE_VLAN_112
!
router eigrp 500
network 192.168.12.0 255.255.255.0
network 192.168.112.0 255.255.255.0
passive-interface outside
!
route outside 0.0.0.0 0.0.0.0 123.123.123.124 

[/box]

 

Related Articles, References, Credits, or External Links

NA

Cisco ASA 5500 – VPN Reverse Route Injection With OSPF

KB ID 0000982 

Problem

Reverse Route injection is the process that can be used on a Cisco ASA to take a route for an established VPN, and populate/inject that route into the routing table of other devices in it’s routing group.

In the example below, on the main site, we have a Layer 3 switch that’s routing all the 192.168.x.x networks, and we have an established site to site VPN to a remote site. To access the web server at 172.16.1.10 the 192.168.x.x networks need a route to it.

I’m going to use OSPF, (the ASA also supports EIGRP and RIP.)

Solution

1. We already have a site to site VPN, let’s find out what cryptomap it is using.

[box]

Main-GW# show run crypto map
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFIC
crypto map CRYPTO-MAP 1 set pfs
crypto map CRYPTO-MAP 1 set peer 123.123.123.60
crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
Main-GW#

[/box]

2. So in this example it’s called CRYPTO-MAP 1, let’s enable reverse route injection for that crypto map.

[box]

Main-GW# configure terminal
Main-GW(config)# crypto map CRYPTO-MAP 1 set reverse-route

[/box]

3. Now create a ‘prefix-list‘ that contains our remote VPN subnet. (Note: if you had a lot of remote subnets you could add them separately or simply summarise them if they were contiguous networks).

[box]

Main-GW(config)# prefix-list PL-VPN-ROUTES description Route-Map For Injecting Remote VPN Routes
Main-GW(config)# prefix-list PL-VPN-ROUTES seq 5 permit 172.16.0.0/16

[/box]

4. Now create a ‘route-map‘ that uses our prefix-list.

[box]

Main-GW(config)# route-map RM-VPN-ROUTES permit 10
Main-GW(config-route-map)# match ip address prefix-list PL-VPN-ROUTE
Main-GW(config-route-map)# set metric 12000
Main-GW(config-route-map)# set metric-type type-1
Main-GW(config-route-map)# exit
Main-GW(config)# route-map RM-VPN-ROUTES deny 100 

[/box]

5. To be honest you would already have OSPF setup at this point but, for completeness, let’s run through the OSPF setup.

[box]

Main-GW(config)# router ospf 20
Main-GW(config-router)# router-id 192.168.1.1
Main-GW(config-router)# network 192.168.1.0 255.255.255.0 area 0
Main-GW(config-router)# log-adj-changes

[/box]

6. And while still in config-router mode, set it to redistribute our VPN network(s). And finally remember the ASA wont send out any networks, without a default-information originate command.

[box]

Main-GW(config-router)# redistribute static subnets route-map RM-VPN-ROUTES
Main-GW(config-router)# default-information originate

[/box]

7. Save the changes.

[box]

Main-GW# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d

7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
Main-GW#

[/box]

8. To make sure it has worked, on the core switch CORE-SW-01, look at the routing table.

[box]

Core-SW-01#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 123.123.123.123 to network 0.0.0.0

O E1 172.16.0.0/16 [110/12011] via 192.168.1.1, 00:00:04, GigabitEthernet0/0
C    192.168.10.0/24 is directly connected, GigabitEthernet0/1
C    192.168.50.0/24 is directly connected, GigabitEthernet0/2
C    192.168.100.0/24 is directly connected, GigabitEthernet0/3
O*E2 0.0.0.0/0 [110/1] via 192.168.1.1, 00:00:03, GigabitEthernet0/0

[/box]

 

Related Articles, References, Credits, or External Links

Cisco ASA 5500 – VPN Reverse Route Injection With EIGRP