ASA lan2lan VPN and RIP
Hello,
I want to upgrade my network topology introducing RIP for automate the management of routing table. I want to use RIP instead of OSPF 'cause I have some Catalyst 3750 switch with IPBASE software that supports only RIP.
I'm done with the layer 3 switch and router config, but I want to configure also my ASA firewall.
In particoular I've an ASA with some Lan-to-Lan VPN and I want that the ASA update, via RIP, the routing table of my router.
I've configured reverse route injection on my crypto map and I've configured the ASA to redistribute stati route on RIP. The problem is that in the router I can't see all the route of the ASA.
The routing table of my router is this:
R 192.168.211.0/24 [120/1] via 192.168.200.100, 00:00:01, Vlan1
R 192.168.210.0/24 [120/1] via 192.168.200.100, 00:00:01, Vlan1
R 192.168.10.0/24 [120/2] via 192.168.200.100, 00:00:01, Vlan1
C 192.168.200.0/24 is directly connected, Vlan1
R 192.168.6.0/24 [120/2] via 192.168.200.100, 00:00:01, Vlan1
R 192.168.0.0/24 [120/2] via 192.168.200.100, 00:00:01, Vlan1
R 192.168.100.0/24 [120/2] via 192.168.200.100, 00:00:01, Vlan1
S* 0.0.0.0/0 [1/0] via 192.168.200.100
And in the ASA is:
C 192.168.211.0 255.255.255.0 is directly connected, failover
C 192.168.210.0 255.255.255.0 is directly connected, dmz
S 192.168.10.0 255.255.255.0 [1/0] via xxx.xx.xx.xxx, outside
C 192.168.200.0 255.255.255.0 is directly connected, inside
S 192.168.6.0 255.255.255.0 [1/0] via xxx.xx.xx.xxx, outside
S 192.168.0.0 255.255.255.0 [1/0] via xxx.xx.xx.xxx, outside
S 192.168.100.0 255.255.255.0 [1/0] via xxx.xx.xx.xxx, outside
S 192.168.4.0 255.255.254.0 [1/0] via xxx.xx.xx.xxx, outside
S 192.168.2.0 255.255.254.0 [1/0] via xxx.xx.xx.xxx, outside
as you can see some route (192.168.2.0 and 192.168.4.0) are note replicated to router.
Any help would be appreciated
thanks
I want to upgrade my network topology introducing RIP for automate the management of routing table. I want to use RIP instead of OSPF 'cause I have some Catalyst 3750 switch with IPBASE software that supports only RIP.
I'm done with the layer 3 switch and router config, but I want to configure also my ASA firewall.
In particoular I've an ASA with some Lan-to-Lan VPN and I want that the ASA update, via RIP, the routing table of my router.
I've configured reverse route injection on my crypto map and I've configured the ASA to redistribute stati route on RIP. The problem is that in the router I can't see all the route of the ASA.
The routing table of my router is this:
R 192.168.211.0/24 [120/1] via 192.168.200.100, 00:00:01, Vlan1
R 192.168.210.0/24 [120/1] via 192.168.200.100, 00:00:01, Vlan1
R 192.168.10.0/24 [120/2] via 192.168.200.100, 00:00:01, Vlan1
C 192.168.200.0/24 is directly connected, Vlan1
R 192.168.6.0/24 [120/2] via 192.168.200.100, 00:00:01, Vlan1
R 192.168.0.0/24 [120/2] via 192.168.200.100, 00:00:01, Vlan1
R 192.168.100.0/24 [120/2] via 192.168.200.100, 00:00:01, Vlan1
S* 0.0.0.0/0 [1/0] via 192.168.200.100
And in the ASA is:
C 192.168.211.0 255.255.255.0 is directly connected, failover
C 192.168.210.0 255.255.255.0 is directly connected, dmz
S 192.168.10.0 255.255.255.0 [1/0] via xxx.xx.xx.xxx, outside
C 192.168.200.0 255.255.255.0 is directly connected, inside
S 192.168.6.0 255.255.255.0 [1/0] via xxx.xx.xx.xxx, outside
S 192.168.0.0 255.255.255.0 [1/0] via xxx.xx.xx.xxx, outside
S 192.168.100.0 255.255.255.0 [1/0] via xxx.xx.xx.xxx, outside
S 192.168.4.0 255.255.254.0 [1/0] via xxx.xx.xx.xxx, outside
S 192.168.2.0 255.255.254.0 [1/0] via xxx.xx.xx.xxx, outside
as you can see some route (192.168.2.0 and 192.168.4.0) are note replicated to router.
Any help would be appreciated
thanks
The config of router is very simple (is a test environment):
router rip
network 192.168.200.0
This is an extract of ASA config:
!
! *** CUT ***
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.200.100 255.255.255.0 standby 192.168.200.99
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.210.100 255.255.255.0 standby 192.168.210.99
!
access-list 100 extended permit ip 192.168.200.0 255.255.255.0 192.168.2.0 255.255.254.0
access-list 100 extended permit ip 192.168.200.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 100 extended permit ip 192.168.200.0 255.255.255.0 192.168.4.0 255.255.254.0
access-list 100 extended permit ip 192.168.210.0 255.255.255.0 192.168.2.0 255.255.254.0
access-list 100 extended permit ip 192.168.210.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 100 extended permit ip 192.168.210.0 255.255.255.0 192.168.4.0 255.255.254.0
access-list 110 extended permit ip 192.168.200.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 110 extended permit ip 192.168.210.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 120 extended permit ip 192.168.200.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list 120 extended permit ip 192.168.210.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list 130 extended permit ip 192.168.200.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list 130 extended permit ip 192.168.210.0 255.255.255.0 192.168.6.0 255.255.255.0
!
! *** CUT ***
!
router rip
network 192.168.200.0
network 192.168.210.0
passive-interface outside
passive-interface dmz
redistribute connected metric transparent
redistribute static metric 2
no auto-summary
!
! *** CUT ***
!
crypto ipsec transform-set strongroad esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map toRoad 4 set transform-set strongroad
crypto dynamic-map toRoad 4 set security-association lifetime seconds 28800
crypto dynamic-map toRoad 4 set security-association lifetime kilobytes 4608000
crypto map partner-map 10 match address 100
crypto map partner-map 10 set peer xxxxxxxxxxxx
crypto map partner-map 10 set transform-set strongroad
crypto map partner-map 10 set security-association lifetime seconds 28800
crypto map partner-map 10 set security-association lifetime kilobytes 4608000
crypto map partner-map 10 set reverse-route
crypto map partner-map 11 match address 110
crypto map partner-map 11 set peer xxxxxxxxxxxxx
crypto map partner-map 11 set transform-set strongroad
crypto map partner-map 11 set security-association lifetime seconds 28800
crypto map partner-map 11 set security-association lifetime kilobytes 4608000
crypto map partner-map 11 set reverse-route
crypto map partner-map 12 match address 120
crypto map partner-map 12 set peer xxxxxxxxxxxxxx
crypto map partner-map 12 set transform-set strongroad
crypto map partner-map 12 set security-association lifetime seconds 28800
crypto map partner-map 12 set security-association lifetime kilobytes 4608000
crypto map partner-map 12 set reverse-route
crypto map partner-map 13 match address 130
crypto map partner-map 13 set peer xxxxxxxxxxxxxx
crypto map partner-map 13 set transform-set strongroad
crypto map partner-map 13 set security-association lifetime seconds 28800
crypto map partner-map 13 set security-association lifetime kilobytes 4608000
crypto map partner-map 13 set reverse-route
crypto map partner-map 20 ipsec-isakmp dynamic toRoad
crypto map partner-map interface outside
!
! *** CUT ***
!
passive-interface outside
passive-interface dmz
redistribute connected metric transparent
redistribute static metric 2
no auto-summary
!
! *** CUT ***
!
crypto ipsec transform-set strongroad esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map toRoad 4 set transform-set strongroad
crypto dynamic-map toRoad 4 set security-association lifetime seconds 28800
crypto dynamic-map toRoad 4 set security-association lifetime kilobytes 4608000
crypto map partner-map 10 match address 100
crypto map partner-map 10 set peer xxxxxxxxxxxx
crypto map partner-map 10 set transform-set strongroad
crypto map partner-map 10 set security-association lifetime seconds 28800
crypto map partner-map 10 set security-association lifetime kilobytes 4608000
crypto map partner-map 10 set reverse-route
crypto map partner-map 11 match address 110
crypto map partner-map 11 set peer xxxxxxxxxxxxx
crypto map partner-map 11 set transform-set strongroad
crypto map partner-map 11 set security-association lifetime seconds 28800
crypto map partner-map 11 set security-association lifetime kilobytes 4608000
crypto map partner-map 11 set reverse-route
crypto map partner-map 12 match address 120
crypto map partner-map 12 set peer xxxxxxxxxxxxxx
crypto map partner-map 12 set transform-set strongroad
crypto map partner-map 12 set security-association lifetime seconds 28800
crypto map partner-map 12 set security-association lifetime kilobytes 4608000
crypto map partner-map 12 set reverse-route
crypto map partner-map 13 match address 130
crypto map partner-map 13 set peer 66.155.224.130
crypto map partner-map 13 set transform-set strongroad
crypto map partner-map 13 set security-association lifetime seconds 28800
crypto map partner-map 13 set security-association lifetime kilobytes 4608000
crypto map partner-map 13 set reverse-route
crypto map partner-map 20 ipsec-isakmp dynamic toRoad
crypto map partner-map interface outside
!
! *** CUT ***
!
ASKER
I've enabled debug on the ASA and seem that the problem is that some router are note sent with RIP:
debug info on ASA:
RIP: sending v1 update to 255.255.255.255 via inside (192.168.200.100)
RIP: build update entries
subnet 0.0.0.0 metric 2
network 192.168.0.0 metric 2
network 192.168.6.0 metric 2
network 192.168.10.0 metric 2
network 192.168.100.0 metric 2
network 192.168.210.0 metric 1
network 192.168.211.0 metric 1
network 202.82.53.0 metric 1
RIP: Update contains 8 routes
RIP: Update queued
RIP: Update sent via inside rip-len:172
As you can see RIP don't send network 192.168.2.0 and 192.168.4.0 that are present on the routing table of the asa:
C 192.168.211.0 255.255.255.0 is directly connected, failover
C 192.168.210.0 255.255.255.0 is directly connected, dmz
S 192.168.10.0 255.255.255.0 [1/0] via xxx.xx.xx.xxx, outside
C 192.168.200.0 255.255.255.0 is directly connected, inside
S 192.168.6.0 255.255.255.0 [1/0] via xxx.xx.xx.xxx, outside
S 192.168.0.0 255.255.255.0 [1/0] via xxx.xx.xx.xxx, outside
S 192.168.100.0 255.255.255.0 [1/0] via xxx.xx.xx.xxx, outside
S 192.168.4.0 255.255.254.0 [1/0] via xxx.xx.xx.xxx, outside
S 192.168.2.0 255.255.254.0 [1/0] via xxx.xx.xx.xxx, outside
That route are managed by the ACL associated to crypto map:
access-list 100 extended permit ip 192.168.200.0 255.255.255.0 192.168.2.0 255.255.254.0
access-list 100 extended permit ip 192.168.200.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 100 extended permit ip 192.168.200.0 255.255.255.0 192.168.4.0 255.255.254.0
I make a hypothesis: may be due to non-standard netmask for the network 192.168.2.0 and .4.0? (I created a supernet /23 amalgamating two /24)
debug info on ASA:
RIP: sending v1 update to 255.255.255.255 via inside (192.168.200.100)
RIP: build update entries
subnet 0.0.0.0 metric 2
network 192.168.0.0 metric 2
network 192.168.6.0 metric 2
network 192.168.10.0 metric 2
network 192.168.100.0 metric 2
network 192.168.210.0 metric 1
network 192.168.211.0 metric 1
network 202.82.53.0 metric 1
RIP: Update contains 8 routes
RIP: Update queued
RIP: Update sent via inside rip-len:172
As you can see RIP don't send network 192.168.2.0 and 192.168.4.0 that are present on the routing table of the asa:
C 192.168.211.0 255.255.255.0 is directly connected, failover
C 192.168.210.0 255.255.255.0 is directly connected, dmz
S 192.168.10.0 255.255.255.0 [1/0] via xxx.xx.xx.xxx, outside
C 192.168.200.0 255.255.255.0 is directly connected, inside
S 192.168.6.0 255.255.255.0 [1/0] via xxx.xx.xx.xxx, outside
S 192.168.0.0 255.255.255.0 [1/0] via xxx.xx.xx.xxx, outside
S 192.168.100.0 255.255.255.0 [1/0] via xxx.xx.xx.xxx, outside
S 192.168.4.0 255.255.254.0 [1/0] via xxx.xx.xx.xxx, outside
S 192.168.2.0 255.255.254.0 [1/0] via xxx.xx.xx.xxx, outside
That route are managed by the ACL associated to crypto map:
access-list 100 extended permit ip 192.168.200.0 255.255.255.0 192.168.2.0 255.255.254.0
access-list 100 extended permit ip 192.168.200.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 100 extended permit ip 192.168.200.0 255.255.255.0 192.168.4.0 255.255.254.0
I make a hypothesis: may be due to non-standard netmask for the network 192.168.2.0 and .4.0? (I created a supernet /23 amalgamating two /24)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
With version 2 works!
I assumed that the default version was with subnets support , but the default is version 1 with classes.
Thanks
I assumed that the default version was with subnets support , but the default is version 1 with classes.
Thanks
Yeah, just for the fun of it, debug ip rip now, and you'll see the masks are included in the updates. In the few places I see people still run RIP, this is a very common problem, not specifying version 2 and getting all kinds of weird results.
Can you try debug ip rip on the router (and on the ASA if it's supported, again, I haven't tried this), and we'll see which routes are received (and advertised), and we might get a clue to what's going on.