Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1621
Views
0
Helpful
2
Replies

Reverse Route Injection with ASA5505

jgadbois
Level 1
Level 1

‎05-26-2011 01:48 PM

My network consists of a router and a ASA5505.  The router has a serial connection back ot HQ.  The ASA has a VPN connection back to HQ.  I want the network traffic destined for HQ to travel over the VPN connection until that connection is no longer valid (down).  I've been told that RRI is the way to go but cannot get it to work.  I get one of my routes to show up in the router but that's it (and not as a static route).  Also I don't want the routes to be injected if the VPN connection is down.  But I do want the VPN connection to be the preferred connection.  Any ideas?  The discussions I've seen so far are all over the place.

Labels:
0 Helpful
2 Replies 2

Vikas Saxena
Cisco Employee
Cisco Employee

‎05-27-2011 05:28 AM

How does your topology looks like?

I imagine it in two ways:

1.

LAN------ASA---------router---------HQ

                 +---------internet---------HQ

or

2.

LAN-------router-------ASA---------internet--------HQ

                   +--------serial----------------------------HQ

the second one is simpler,

in the router you will have one default gw as ASA, ASA has one default GW as internet ISP hop.

In the router you will have one route for HQ pointing to serial.


You can use floating static route for the HQ network and point it to ASA. When the ASA will get the traffic destined for the HQ (crypto) it will initiate the tunnel if does not exist or encrypt it if already exists, no need for RRI.

With router you can also do fancy stuff using SLA monitoring, this will make route tweaking granular.

-Vikas

0 Helpful

jgadbois
Level 1
Level 1
In response to Vikas Saxena

‎05-27-2011 05:57 AM

It looks like the second diagram.  I initially looked at floating static routes and have had some experience with them but it just seems that when you want to use them you run into the SLA issue where you have to test the route to make sure it's really there.  It doesn't seem to scale very well either.  I asked another time about my issue and was directed to RRI.  It seemed like a good candidate but the trouble I'm having now has me confused.  No routes are getting injected as static and only one is there but looks like it's coming from OSPF itself.  I wonder if turning off OSPF on the ASA might be the answer?

Anyway, thanks for your response.

Jim

0 Helpful
Customers Also Viewed These Support Documents