I’m a big fan of the Cisco Anyconnect VPN client due to its easy configuration, and the relative ease of deployment to end users. When you deploy an Anyconnect VPN on your ASA, one of the important tasks is to decide how to advertise the VPN assigned addresses into the rest of your network. Fortunately, this is easy to accomplish using route redistribution.
In this example, my VPN pool will be assigned from the 192.168.254.128/25 range, and I will redistribute these routes into OSPF. Notice that the ASA automatically creates a static host route for a connected client:
ASA# sh route | i 192.168.254 S 192.168.254.154 255.255.255.255 [1/0] via 220.127.116.11, Outside
So we have the building blocks for what we need, now let’s look at the configuration.
There are several different ways to accomplish this task, but I’ll demonstrate what I typically use.
Redistributing into OSPF
First, we’ll create a prefix list to match the address pool for our Anyconnect clients:
prefix-list VPN_PREFIX seq 1 permit 192.168.254.128/25 le 32
This prefix list entry matches the 192.168.254.128/25 subnet, as well as any routes with a mask less-than or equal to 32 bits. This works great, because our routes will all be /32.
Next we’ll create a route-map that we can reference inside OSPF:
route-map VPN_POOL permit 1 match ip address prefix-list VPN_PREFIX
And finally, we’ll add enable redistribution in OSPF:
router ospf 1 redistribute static subnets route-map VPN_POOL
If we look the routing table on another router in our network, we should see the route:
RTR#sh ip route | i 192.168.254 O E2 192.168.254.128/32 [110/20] via 10.5.2.6, 00:5:03, Vlan85
Advertising the subnet instead of individual host routes
If you like to keep your routing tables uncluttered, you might be inclined to only redistribute the entire VPN prefix, instead of the /32 routes. The important thing to remember here is that OSPF will not redistribute a route that is not already in the routing table.
We’ll simply add a static route for the VPN prefix:
route outside 192.168.254.128 255.255.255.128 18.104.22.168
Without any other modifications, we will now see routes like this in our network:
RTR#sh ip route | i 192.168.254 O E2 192.168.254.128/25 [110/20] via 10.5.2.6, 00:07:28, Vlan85 O E2 192.168.254.154/32 [110/20] via 10.5.2.6, 00:07:28, Vlan85
But we want to get rid of the /32 routes. So we have two options now:
- Modify the prefix-list to match only the /25 route
- Modify the OSPF redistribution command to ignore subnets.
Option 1: Modify the prefix-list
We’ll change the prefix list so we don’t even consider subnets with different masks:
no prefix-list VPN_PREFIX seq 1 permit 192.168.254.128/25 le 32 prefix-list VPN_PREFIX seq 1 permit 192.168.254.128/25
Our redistribution command still has the subnets keyword, but since the prefix list won’t even allow smaller prefix lengths, we end up with just the one route.
Option 2: Modify the OSPF redistribution command
You can also remove the subnets keyword from the redistribution command:
router ospf 1 redistribute static route-map VPN_POOL
This way it doesn’t matter if the prefix-list matches longer routes, OSPF just won’t redistribute them.
In the end we have a configuration that looks something like this:
route outside 192.168.254.128 255.255.255.128 22.214.171.124 ! prefix-list VPN_PREFIX seq 1 permit 192.168.254.128/25 ! route-map VPN_POOL permit 1 match ip address prefix-list VPN_PREFIX ! router ospf 100 redistribute static route-map VPN_POOL
The ASA will still show all of the /32 routes, plus the /25 route:
ASA# sh route | i 192.168.254 S 192.168.254.154 255.255.255.255 [1/0] via 126.96.36.199, Outside S 192.168.254.128 255.255.255.128 [1/0] via 188.8.131.52, Outside
But routers inside the network will only see the /25 route:
RTR#sh ip route | i 192.168.254 O E2 192.168.254.128/25 [110/20] via 10.5.2.6, 01:45:03, Vlan85
I didn’t talk about modifying any of the OSPF metrics as the routes are being injected, but that would be something to consider if you do this in your environment.