• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 953
  • Last Modified:

Cisco ASA Routing Question

We have a network with 9 locations that are in a mpls network with route distribution via eigrp.

Each site also has a second internet connection that is routed with an ASA 5510.

The default gateway of each site is a layer 3 switch with EIGRP and a static 0.0.0.0 route to the ASA.  We've configured site to site vpn between the locations as a backup to MPLS failure.  If a link fails the route drops from EIGRP and the gateway then routes that network to the ASA which brings the tunnel up.

So here's the issue, I have static routes on the inside interface of the ASA that route each subnet back to the interior gateway so the ASA's can be managed over the MPLS.  When an MPLS link goes down the static routes for the affected network have to be removed from all ASA's before the tunnels will route correctly.

What I'm hoping is that there is some way I can get the ASA to give the static route a lower metric than the VPN route, or dynamically build the route based on remote availability.

Thanks in advance!
0
nathanspowell
Asked:
nathanspowell
  • 7
  • 5
  • 2
1 Solution
 
602650528Commented:
Your statement about giving the static routes lower AD is confusing as you want them removed when the VPN tunnels are established. What is the administrative distance of the vpn route ? I am sure it can't be higher than 254 as that is the highest you could have, so give the static route an AD of 254.
e.g ip route 10.0.0.0 255.255.255.0 23.23.23.2 254
0
 
602650528Commented:
I meant;
 route outside 0.0.0.0 255.255.255.0 23.23.23.2 254
0
 
lrmooreCommented:
You can assign a metric to the static, as demonstratec above, just not on the default
 route inside 10.0.0.0 255.0.0.0 10.1.12 254
You can enable EIGRP between the ASA and the router and let it dynamically learn the routes while the mpls is alive.
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 
nathanspowellAuthor Commented:
@602650528
Clarification, changing the metric of this route won't help.  If I static route my machine to use the ASA as the gateway for a specific subnet it won't even bring the tunnel up as long as the static route is there.  When I remove the route the tunnel will come up.  Changing to 254 makes no difference.

@Irmoore
I think adding the ASA to EIGRP will be the solution.  This way the route would drop off if an mpls link went down which would bring the tunnel up.  Unfortunately I either have to induce a MPLS failure or wait for one to prove it.  It sounds like the best solution though.

Thanks.
0
 
nathanspowellAuthor Commented:
Ok thinking through this I don't think adding EIGRP to the ASA is going to work.  Here is a pseudo copy of the route distribution.

10.10.10.1 = Layer 3 Switch Interior Gateway
10.10.10.2 = MPLS Router
10.10.10.254 = ASA

EIGRP routes 9 subnets via 10.10.10.2
10.10.10.2 routes 10.10.10.0/24 via 10.10.10.1

If the ASA picks up this route it's going to route out via 10.10.10.2 and 10.10.10.2 is going to route in via 10.10.10.1.  I don't believe this will work.  Please correct me if I'm wrong.

This leads me to another option.  Can I use a tracked static route on the ASA.  I've haven't used this feature before but my understanding is I can track a remote host to confirm the viability of the route.  If the tracked host is unreachable is the route removed, made inactive?  If so I could see the ASA bringing the tunnel up at that point which would accomplish what I want.
0
 
lrmooreCommented:
Since all three devices are on the same interior subnet, EIGRP should work just fine. Since all 3 devices know where to route traffic, it shouldn't be a problem.
Tracking may be an alternative, but probably not as reliable as EIGRP.
Thinking about that, if if you are tracking a host on the other side of MPLS link and the mpls link drops, the route drops out. Now with no route to the host you're tracking, even if the MPLS link comes back up, the static route is gone and you'll never get back where it was.
0
 
nathanspowellAuthor Commented:
So it just removes the route entirely?  I would assume it would continue to track it and put it back when the link was restored.
0
 
lrmooreCommented:
I'm just thinking out loud, but if the route drops out, how can it possibly ever find the host again to restore it?
You would have to add a host-specific route that is not tracked, and then a tracked network route. This is the way I typically do it for default route tracking...
0
 
nathanspowellAuthor Commented:
That sounds like it would work assuming the ASA does continue to attempt to track the subnet route once it fails.  Can you confirm that?
0
 
lrmooreCommented:
I've done some testing in my lab and indeed it does work, but the convergence time is much slower than EIGRP by itself.

track 1 rtr 1 reachability
sla monitor 1
 type echo protocol ipIcmpEcho 192.168.125.1 interface inside
sla monitor schedule 1 life forever start-time now
route inside 192.168.125.1 255.255.255.255 192.168.122.140 1 < Permanent static route to tracked host

route inside 192.168.0.0 255.255.0.0 192.168.122.140 128 track 1 < Goes away if I shutdown the tracked host, but takes about 15-20 seconds

Problem is, you have to dedicate that host to being available all the time. I just used a loopback interface on a remote MPLS router.

with EIGRP set up, and the router set to redistribute BGP, if I lose a route from BGP, the ASA drops the router almost immediatey.


0
 
nathanspowellAuthor Commented:
Can't thank you enough!
0
 
nathanspowellAuthor Commented:
One more question.

In your lab if you bring 192.168.125.1 back online does the tracked subnet come back to life as expected.  

I interpret your comment that it does but I just wanted to confirm.
0
 
lrmooreCommented:
Yes, it does!
0
 
nathanspowellAuthor Commented:
Just wanted to update this.  The static non tracked route for a host is not necessary.

Adding a subnet with a tracked host is enough.  It will persist in tracking that host via the defined route even if the reachability is false.  Once it becomes reachable again it will restore the route.  
0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

  • 7
  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now