Cisco ASA – Reverse Route Injection with EIGRP

KB ID 0001137 

Problem

I’ve followed your Reverse Route Injection article and its not working? This email dropped in my mailbox a while back As it turns out the article I had written was for OSPF, and this chap was using EIGRP. So I ran it up with EIGRP as well to test.

Heres my topology, I want to inject the route for the remote site, into my internal EIGRP routing table.

Solution

Assuming EIGRP is already setup between the ASA and the LAN (i.e. Core Switch).

[box]

ASA

Petes-ASA# show run router
!
router eigrp 20
 no auto-summary
 network 10.1.0.0 255.255.0.0
 passive-interface default
 no passive-interface inside
 redistribute static
!

Switch

Core-SW#show run | sec router
router eigrp 20
 network 10.1.0.0 0.0.255.255
 network 10.2.0.0 0.0.255.255
 network 10.3.0.0 0.0.255.255
 no auto-summary

[/box]

Also assuming you already have a site to site VPN established and working.

[box]

Petes-ASA# show cry isakmp 

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 192.168.249.254
    Type    : L2L             Role    : responder 
    Rekey   : no              State   : MM_ACTIVE 


Petes-ASA# show cry ipsec sa
interface: outside
    Crypto map tag: CRYPTO-MAP, seq num: 1, local addr: 192.168.253.254

      access-list VPN-INTERESTING-TRAFIC extended permit ip 10.1.0.0 255.255.0.0 10.250.0.0 255.255.0.0 
      local ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.250.0.0/255.255.0.0/0/0)
      current_peer: 192.168.249.254

      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

[/box]

Show the Cryptomap, then add the RRI.

[box]

Petes-ASA# show run crypto   
crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-aes-256 esp-sha-hmac 
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFIC
crypto map CRYPTO-MAP 1 set pfs 
crypto map CRYPTO-MAP 1 set peer 192.168.249.254 
crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400


Petes-ASA# configure terminal 
Petes-ASA(config)# crypto map CRYPTO-MAP 1 set reverse-route
Petes-ASA(config)#

[/box]

Create a ‘Prefix-List’ for the routes to inject (i.e the remote LAN at the other end of the VPN tunnel).

[box]

Petes-ASA(config)# prefix-list PL-VPN-ROUTES description Route-Map For Injecting Remote VPN Routes
Petes-ASA(config)# prefix-list PL-VPN-ROUTES seq 5 permit 10.250.0.0/16

[/box]

Create a ‘route-map’ to inject your prefix-list.

[box]

Petes-ASA(config)# route-map RM-VPN-ROUTES permit 10
Petes-ASA(config-route-map)# match ip address prefix-list PL-VPN-ROUTE 
Petes-ASA(config-route-map)# set metric 1200
Petes-ASA(config-route-map)# exit
Petes-ASA(config)# route-map RM-VPN-ROUTES deny 100

[/box]

With the tunnel up check your internal routing table;

Update: As pointed out by SteveH

You’ve missed the route-map off the re-distribute command,

router eigrp 20
redistribute static route-map RM-VPN-ROUTES

[box]

Core-SW#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.1.1.1 to network 0.0.0.0

     10.0.0.0/16 is subnetted, 4 subnets
C       10.2.0.0 is directly connected, GigabitEthernet2/0
C       10.3.0.0 is directly connected, GigabitEthernet3/0
C       10.1.0.0 is directly connected, GigabitEthernet1/0
D EX    10.250.0.0 [170/28416] via 10.1.1.1, 00:00:02, GigabitEthernet1/0
D*EX 0.0.0.0/0 [170/28416] via 10.1.1.1, 00:00:02, GigabitEthernet1/0

[/box]

Related Articles, References, Credits, or External Links

Cisco ASA – Reverse Route Injection with OSPF

Cisco ASA 5500 – VPN Reverse Route Injection With OSPF

KB ID 0000982 

Problem

Reverse Route injection is the process that can be used on a Cisco ASA to take a route for an established VPN, and populate/inject that route into the routing table of other devices in it’s routing group.

In the example below, on the main site, we have a Layer 3 switch that’s routing all the 192.168.x.x networks, and we have an established site to site VPN to a remote site. To access the web server at 172.16.1.10 the 192.168.x.x networks need a route to it.

I’m going to use OSPF, (the ASA also supports EIGRP and RIP.)

Solution

1. We already have a site to site VPN, let’s find out what cryptomap it is using.

[box]

Main-GW# show run crypto map
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFIC
crypto map CRYPTO-MAP 1 set pfs
crypto map CRYPTO-MAP 1 set peer 123.123.123.60
crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
Main-GW#

[/box]

2. So in this example it’s called CRYPTO-MAP 1, let’s enable reverse route injection for that crypto map.

[box]

Main-GW# configure terminal
Main-GW(config)# crypto map CRYPTO-MAP 1 set reverse-route

[/box]

3. Now create a ‘prefix-list‘ that contains our remote VPN subnet. (Note: if you had a lot of remote subnets you could add them separately or simply summarise them if they were contiguous networks).

[box]

Main-GW(config)# prefix-list PL-VPN-ROUTES description Route-Map For Injecting Remote VPN Routes
Main-GW(config)# prefix-list PL-VPN-ROUTES seq 5 permit 172.16.0.0/16

[/box]

4. Now create a ‘route-map‘ that uses our prefix-list.

[box]

Main-GW(config)# route-map RM-VPN-ROUTES permit 10
Main-GW(config-route-map)# match ip address prefix-list PL-VPN-ROUTE
Main-GW(config-route-map)# set metric 12000
Main-GW(config-route-map)# set metric-type type-1
Main-GW(config-route-map)# exit
Main-GW(config)# route-map RM-VPN-ROUTES deny 100 

[/box]

5. To be honest you would already have OSPF setup at this point but, for completeness, let’s run through the OSPF setup.

[box]

Main-GW(config)# router ospf 20
Main-GW(config-router)# router-id 192.168.1.1
Main-GW(config-router)# network 192.168.1.0 255.255.255.0 area 0
Main-GW(config-router)# log-adj-changes

[/box]

6. And while still in config-router mode, set it to redistribute our VPN network(s). And finally remember the ASA wont send out any networks, without a default-information originate command.

[box]

Main-GW(config-router)# redistribute static subnets route-map RM-VPN-ROUTES
Main-GW(config-router)# default-information originate

[/box]

7. Save the changes.

[box]

Main-GW# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d

7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
Main-GW#

[/box]

8. To make sure it has worked, on the core switch CORE-SW-01, look at the routing table.

[box]

Core-SW-01#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 123.123.123.123 to network 0.0.0.0

O E1 172.16.0.0/16 [110/12011] via 192.168.1.1, 00:00:04, GigabitEthernet0/0
C    192.168.10.0/24 is directly connected, GigabitEthernet0/1
C    192.168.50.0/24 is directly connected, GigabitEthernet0/2
C    192.168.100.0/24 is directly connected, GigabitEthernet0/3
O*E2 0.0.0.0/0 [110/1] via 192.168.1.1, 00:00:03, GigabitEthernet0/0

[/box]

 

Related Articles, References, Credits, or External Links

Cisco ASA 5500 – VPN Reverse Route Injection With EIGRP