ASA lan2lan VPN and RIP

Hello,
I want to upgrade my network topology introducing RIP for automate the management of routing table. I want to use RIP instead of OSPF 'cause I have some Catalyst 3750 switch with IPBASE software that supports only RIP.

I'm done with the layer 3 switch and router config, but I want to configure also my ASA firewall.

In particoular I've an ASA with some Lan-to-Lan VPN and I want that the ASA update, via RIP, the routing table of my router.

I've configured reverse route injection on my crypto map and I've configured the ASA to redistribute stati route on RIP. The problem is that in the router I can't see all the route of the ASA.

The routing table of my router is this:
R    192.168.211.0/24 [120/1] via 192.168.200.100, 00:00:01, Vlan1
R    192.168.210.0/24 [120/1] via 192.168.200.100, 00:00:01, Vlan1
R    192.168.10.0/24 [120/2] via 192.168.200.100, 00:00:01, Vlan1
C    192.168.200.0/24 is directly connected, Vlan1
R    192.168.6.0/24 [120/2] via 192.168.200.100, 00:00:01, Vlan1
R    192.168.0.0/24 [120/2] via 192.168.200.100, 00:00:01, Vlan1
R    192.168.100.0/24 [120/2] via 192.168.200.100, 00:00:01, Vlan1
S*   0.0.0.0/0 [1/0] via 192.168.200.100


And in the ASA is:
C    192.168.211.0 255.255.255.0 is directly connected, failover
C    192.168.210.0 255.255.255.0 is directly connected, dmz
S    192.168.10.0 255.255.255.0 [1/0] via xxx.xx.xx.xxx, outside
C    192.168.200.0 255.255.255.0 is directly connected, inside
S    192.168.6.0 255.255.255.0 [1/0] via xxx.xx.xx.xxx, outside
S    192.168.0.0 255.255.255.0 [1/0] via xxx.xx.xx.xxx, outside
S    192.168.100.0 255.255.255.0 [1/0] via xxx.xx.xx.xxx, outside
S    192.168.4.0 255.255.254.0 [1/0] via xxx.xx.xx.xxx, outside
S    192.168.2.0 255.255.254.0 [1/0] via xxx.xx.xx.xxx, outside

as you can see some route (192.168.2.0 and 192.168.4.0) are note replicated to router.


Any help would be appreciated

thanks

The config of router is very simple (is a test environment):
router rip
 network 192.168.200.0
This is an extract of ASA config:
!
! *** CUT ***
!
interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 192.168.200.100 255.255.255.0 standby 192.168.200.99 
!
interface Ethernet0/2
 nameif dmz
 security-level 50
 ip address 192.168.210.100 255.255.255.0 standby 192.168.210.99
!
access-list 100 extended permit ip 192.168.200.0 255.255.255.0 192.168.2.0 255.255.254.0 
access-list 100 extended permit ip 192.168.200.0 255.255.255.0 192.168.10.0 255.255.255.0 
access-list 100 extended permit ip 192.168.200.0 255.255.255.0 192.168.4.0 255.255.254.0 
access-list 100 extended permit ip 192.168.210.0 255.255.255.0 192.168.2.0 255.255.254.0 
access-list 100 extended permit ip 192.168.210.0 255.255.255.0 192.168.10.0 255.255.255.0 
access-list 100 extended permit ip 192.168.210.0 255.255.255.0 192.168.4.0 255.255.254.0 
access-list 110 extended permit ip 192.168.200.0 255.255.255.0 192.168.0.0 255.255.255.0 
access-list 110 extended permit ip 192.168.210.0 255.255.255.0 192.168.0.0 255.255.255.0 
access-list 120 extended permit ip 192.168.200.0 255.255.255.0 192.168.100.0 255.255.255.0 
access-list 120 extended permit ip 192.168.210.0 255.255.255.0 192.168.100.0 255.255.255.0 
access-list 130 extended permit ip 192.168.200.0 255.255.255.0 192.168.6.0 255.255.255.0 
access-list 130 extended permit ip 192.168.210.0 255.255.255.0 192.168.6.0 255.255.255.0 
!
! *** CUT ***
!
router rip
 network 192.168.200.0
 network 192.168.210.0
 passive-interface outside
 passive-interface dmz
 redistribute connected metric transparent
 redistribute static metric 2
 no auto-summary
!
! *** CUT ***
!
crypto ipsec transform-set strongroad esp-3des esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map toRoad 4 set transform-set strongroad
crypto dynamic-map toRoad 4 set security-association lifetime seconds 28800
crypto dynamic-map toRoad 4 set security-association lifetime kilobytes 4608000
crypto map partner-map 10 match address 100
crypto map partner-map 10 set peer xxxxxxxxxxxx
crypto map partner-map 10 set transform-set strongroad
crypto map partner-map 10 set security-association lifetime seconds 28800
crypto map partner-map 10 set security-association lifetime kilobytes 4608000
crypto map partner-map 10 set reverse-route
crypto map partner-map 11 match address 110
crypto map partner-map 11 set peer xxxxxxxxxxxxx
crypto map partner-map 11 set transform-set strongroad
crypto map partner-map 11 set security-association lifetime seconds 28800
crypto map partner-map 11 set security-association lifetime kilobytes 4608000
crypto map partner-map 11 set reverse-route
crypto map partner-map 12 match address 120
crypto map partner-map 12 set peer xxxxxxxxxxxxxx
crypto map partner-map 12 set transform-set strongroad
crypto map partner-map 12 set security-association lifetime seconds 28800
crypto map partner-map 12 set security-association lifetime kilobytes 4608000
crypto map partner-map 12 set reverse-route
crypto map partner-map 13 match address 130
crypto map partner-map 13 set peer xxxxxxxxxxxxxx
crypto map partner-map 13 set transform-set strongroad
crypto map partner-map 13 set security-association lifetime seconds 28800
crypto map partner-map 13 set security-association lifetime kilobytes 4608000
crypto map partner-map 13 set reverse-route
crypto map partner-map 20 ipsec-isakmp dynamic toRoad
crypto map partner-map interface outside
!
! *** CUT ***
!
 passive-interface outside
 passive-interface dmz
 redistribute connected metric transparent
 redistribute static metric 2
 no auto-summary
!
! *** CUT ***
!
crypto ipsec transform-set strongroad esp-3des esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map toRoad 4 set transform-set strongroad
crypto dynamic-map toRoad 4 set security-association lifetime seconds 28800
crypto dynamic-map toRoad 4 set security-association lifetime kilobytes 4608000
crypto map partner-map 10 match address 100
crypto map partner-map 10 set peer xxxxxxxxxxxx
crypto map partner-map 10 set transform-set strongroad
crypto map partner-map 10 set security-association lifetime seconds 28800
crypto map partner-map 10 set security-association lifetime kilobytes 4608000
crypto map partner-map 10 set reverse-route
crypto map partner-map 11 match address 110
crypto map partner-map 11 set peer xxxxxxxxxxxxx
crypto map partner-map 11 set transform-set strongroad
crypto map partner-map 11 set security-association lifetime seconds 28800
crypto map partner-map 11 set security-association lifetime kilobytes 4608000
crypto map partner-map 11 set reverse-route
crypto map partner-map 12 match address 120
crypto map partner-map 12 set peer xxxxxxxxxxxxxx
crypto map partner-map 12 set transform-set strongroad
crypto map partner-map 12 set security-association lifetime seconds 28800
crypto map partner-map 12 set security-association lifetime kilobytes 4608000
crypto map partner-map 12 set reverse-route
crypto map partner-map 13 match address 130
crypto map partner-map 13 set peer 66.155.224.130 
crypto map partner-map 13 set transform-set strongroad
crypto map partner-map 13 set security-association lifetime seconds 28800
crypto map partner-map 13 set security-association lifetime kilobytes 4608000
crypto map partner-map 13 set reverse-route
crypto map partner-map 20 ipsec-isakmp dynamic toRoad
crypto map partner-map interface outside
!
! *** CUT ***
!

Open in new window

LVL 3
Faber82Asked:
Who is Participating?
 
HodepineCommented:
Try changing it to RIP version 2, which is classless, and should work better with variable length subnet masks.

Just add "version 2" to both the router and the ASA router rip configuration.
0
 
HodepineCommented:
I've never run RIP on a ASA device, but your config looks ok to me.

Can you try debug ip rip on the router (and on the ASA if it's supported, again, I haven't tried this), and we'll see which routes are received (and advertised), and we might get a clue to what's going on.
0
 
Faber82Author Commented:
I've enabled debug on the ASA and seem that the problem is that some router are note sent with RIP:

debug info on ASA:
RIP: sending v1 update to 255.255.255.255 via inside (192.168.200.100)
RIP: build update entries
        subnet 0.0.0.0 metric 2
        network 192.168.0.0 metric 2
        network 192.168.6.0 metric 2
        network 192.168.10.0 metric 2
        network 192.168.100.0 metric 2
        network 192.168.210.0 metric 1
        network 192.168.211.0 metric 1
        network 202.82.53.0 metric 1
RIP: Update contains 8 routes
RIP: Update queued
RIP: Update sent via inside rip-len:172

As you can see RIP don't send network 192.168.2.0 and 192.168.4.0 that are present on the routing table of the asa:
C    192.168.211.0 255.255.255.0 is directly connected, failover
C    192.168.210.0 255.255.255.0 is directly connected, dmz
S    192.168.10.0 255.255.255.0 [1/0] via xxx.xx.xx.xxx, outside
C    192.168.200.0 255.255.255.0 is directly connected, inside
S    192.168.6.0 255.255.255.0 [1/0] via xxx.xx.xx.xxx, outside
S    192.168.0.0 255.255.255.0 [1/0] via xxx.xx.xx.xxx, outside
S    192.168.100.0 255.255.255.0 [1/0] via xxx.xx.xx.xxx, outside
S    192.168.4.0 255.255.254.0 [1/0] via xxx.xx.xx.xxx, outside
S    192.168.2.0 255.255.254.0 [1/0] via xxx.xx.xx.xxx, outside

That route are managed by the ACL associated to crypto map:
access-list 100 extended permit ip 192.168.200.0 255.255.255.0 192.168.2.0 255.255.254.0
access-list 100 extended permit ip 192.168.200.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 100 extended permit ip 192.168.200.0 255.255.255.0 192.168.4.0 255.255.254.0

I make a hypothesis: may be due to non-standard netmask for the network 192.168.2.0 and .4.0? (I created a supernet /23 amalgamating two /24)
0
 
Faber82Author Commented:
With version 2 works!
I assumed that the default version was with subnets support , but the default is version 1 with classes.

Thanks
0
 
HodepineCommented:
Yeah, just for the fun of it, debug ip rip now, and you'll see the masks are included in the updates. In the few places I see people still run RIP, this is a very common problem, not specifying version 2 and getting all kinds of weird results.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.