Reverse route inject in ASA VPN

Hi Anyone can explain why we want to use route / reverse route injection in l2l VPN ?
Usually we do not use the route in l2l VPN if the lan behind the ASA is directly connected with the ASA. But in below statement, it said the vpn needs an additional route or reverse route injection:

Verify that Routing is Correct

Routing is a critical part of almost every IPsec VPN deployment. Be certain that your encryption devices such as Routers and PIX or ASA Security Appliances have the proper routing information to send traffic over your VPN tunnel. Moreover, if other routers exist behind your gateway device, be sure that those routers know how to reach the tunnel and what networks are on the other side.

One key component of routing in a VPN deployment is Reverse Route Injection (RRI). RRI places dynamic entries for remote networks or VPN clients in the routing table of a VPN gateway. These routes are useful to the device on which they are installed, as well as to other devices in the network because routes installed by RRI can be redistributed through a routing protocol such as EIGRP or OSPF.

In a LAN-to-LAN configuration, it is important for each endpoint to have a route or routes to the networks for which it is supposed to encrypt traffic. In this example, Router A must have routes to the networks behind Router B through 10.89.129.2. Router B must have a similar route to 192.168.100.0 /24:

common_ipsec_trouble-3.gif

The first way to ensure that each router knows the appropriate route(s) is to configure static routes for each destination network. For example, Router A can have these route statements configured:

ip route 0.0.0.0 0.0.0.0 172.22.1.1
ip route 192.168.200.0 255.255.255.0 10.89.129.2
ip route 192.168.210.0 255.255.255.0 10.89.129.2
ip route 192.168.220.0 255.255.255.0 10.89.129.2
ip route 192.168.230.0 255.255.255.0 10.89.129.2
If Router A was replaced with a PIX or ASA, the configuration can look like this:

route outside 0.0.0.0 0.0.0.0 172.22.1.1
route outside 192.168.200.0 255.255.255.0 10.89.129.2
route outside 192.168.200.0 255.255.255.0 10.89.129.2
route outside 192.168.200.0 255.255.255.0 10.89.129.2
route outside 192.168.200.0 255.255.255.0 10.89.129.2

which is from:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html
eemoonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
While you have L2L setup,  we need to have interesting traffic which needs to pass via the IPSec tunnel and that can matched by crypto access-list

In normal scenario, site 1 has 192.168.0.0/16 network and if the remote site has 192.168.100.0/24 network, then you need to specifically mention the remote site route pointing to outside interface.

This concept so called reverse route injection.


Else, the traffic will not forward to the tunnel, though the crypto acl matched.

The order of processing packet from inside to outside is looks like interface acl --> NAT -->route --> crypto tunnel --> outside

you can find the best example here

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/107596-asa-reverseroute.html
0
eemoonAuthor Commented:
Thank you so much for your fast and excellent explanation and the link. I reviewed that document. It is a good document, but it does not explain why some network need RRI, and other do not need it. I think you are correct, but I do not know why only some special network need RRI , and not the all network.
0
kevinhsiehCommented:
You would need RRI for any time that the ASA is not the eventual route for all traffic that needs to go across the L2L tunnel. Say you have three sites, HQ, SiteA and SiteB. HQ has the ASA, SiteA has it's own internet connection and a WAN connection to HQ, and then SiteB is connected to HQ via L2L IPSec tunnel. Without RRI, traffic from SiteA wouldn't know that the correct route to SiteB is over the WAN; it would send traffic out it's internet connection instead. In addition, RRI help make visible in the routing table all of the available networks. So, if your routing worked out such that all traffic would eventually make it to the ASA anyway, it's nice to be able to look at the routing table and see that all of the remote subnets across an IPSec tunnel are showing up properly. If you don't see it in the routing table, that's a good indication that your L2L link is down.
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

eemoonAuthor Commented:
Thank you so much for your reply.
I agree with what you said on the RRI. However, The example that you gave here is different with one in Cisco document and what I am talking about. My topology is like this:
LAN1 ---- ASA1 ----- Internet ------ ASA2 ---- LAN2.   My question: Does this topology need RRI ? In most cases, I do not think it need RRI, but I also met rare case, which need RRI. I do not know why.

Please see the attached picture, which is from:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html
The topology in Cisco doc is same with mine, but Cisco say it needs RRI.

NetExpert Network Solutions Pte Ltd mentioned it below. I agree with him, but I do not know why this special subnet can need RRI:

In normal scenario, site 1 has 192.168.0.0/16 network and if the remote site has 192.168.100.0/24 network, then you need to specifically mention the remote site route pointing to outside interface.

This concept so called reverse route injection.
Capture.PNG
0
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
@eemoon,

reverse route injection is desperately needed in the scenario of,  if you have dynamic routing protocol running on the LAN network and if you need to inject the remote site VPN networks into dynamic routing protocols

If you are not running any dynamic routing protocol. RRI is not needed.

//Reverse Route Injection (RRI) is used to populate the routing table of an internal router that runs Open Shortest Path First (OSPF) protocol or Routing Information Protocol (RIP) for remote VPN Clients or LAN�LAN sessions.//



Here is the best example from cisco

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/107596-asa-reverseroute.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
eemoonAuthor Commented:
Thank you so much for your explanation! I already understand it, but I still have one more thing that I need to confirm, which is that we do not need to add RRI if the scenario is just like it below and does not have dynamic routing, right ?
LAN1 ---- ASA1 ----- Internet ------ ASA2 ---- LAN2
Thank you again!
0
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
No need to have RRI in that scenario
0
eemoonAuthor Commented:
Thank you!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.