Redistributing Anyconnect VPN addresses into OSPF on Cisco ASA

Posted on by Posted in Networking Tagged , , , , 7 Comments

I’m a big fan of the Cisco Anyconnect VPN client due to its easy configuration, and the relative ease of deployment to end users. When you deploy an Anyconnect VPN on your ASA, one of the important tasks is to decide how to advertise the VPN assigned addresses into the rest of your network. Fortunately, this is easy to accomplish using route redistribution.

Basic Setup

In this example, my VPN pool will be assigned from the 192.168.254.128/25 range, and I will redistribute these routes into OSPF. Notice that the ASA automatically creates a static host route for a connected client:

ASA# sh route | i 192.168.254
S    192.168.254.154 255.255.255.255 [1/0] via 1.1.1.1, Outside

So we have the building blocks for what we need, now let’s look at the configuration.

There are several different ways to accomplish this task, but I’ll demonstrate what I typically use.

Redistributing into OSPF

First, we’ll create a prefix list to match the address pool for our Anyconnect clients:

prefix-list VPN_PREFIX seq 1 permit 192.168.254.128/25 le 32

This prefix list entry matches the 192.168.254.128/25 subnet, as well as any routes with a mask less-than or equal to 32 bits. This works great, because our routes will all be /32.

Next we’ll create a route-map that we can reference inside OSPF:

route-map VPN_POOL permit 1
    match ip address prefix-list VPN_PREFIX

And finally, we’ll add enable redistribution in OSPF:

router ospf 1
    redistribute static subnets route-map VPN_POOL

If we look the routing table on another router in our network, we should see the route:

RTR#sh ip route | i 192.168.254
O E2     192.168.254.128/32 [110/20] via 10.5.2.6, 00:5:03, Vlan85

Advertising the subnet instead of individual host routes

If you like to keep your routing tables uncluttered, you might be inclined to only redistribute the entire VPN prefix, instead of the /32 routes. The important thing to remember here is that OSPF will not redistribute a route that is not already in the routing table.

We’ll simply add a static route for the VPN prefix:

route outside 192.168.254.128 255.255.255.128 1.1.1.1

Without any other modifications, we will now see routes like this in our network:

RTR#sh ip route | i 192.168.254
O E2     192.168.254.128/25 [110/20] via 10.5.2.6, 00:07:28, Vlan85
O E2     192.168.254.154/32 [110/20] via 10.5.2.6, 00:07:28, Vlan85

But we want to get rid of the /32 routes. So we have two options now:

  1. Modify the prefix-list to match only the /25 route
  2. Modify the OSPF redistribution command to ignore subnets.

Option 1: Modify the prefix-list

We’ll change the prefix list so we don’t even consider subnets with different masks:

no prefix-list VPN_PREFIX seq 1 permit 192.168.254.128/25 le 32
prefix-list VPN_PREFIX seq 1 permit 192.168.254.128/25

Our redistribution command still has the subnets keyword, but since the prefix list won’t even allow smaller prefix lengths, we end up with just the one route.

Option 2: Modify the OSPF redistribution command

You can also remove the subnets keyword from the redistribution command:

router ospf 1
    redistribute static route-map VPN_POOL

This way it doesn’t matter if the prefix-list matches longer routes, OSPF just won’t redistribute them.

Final Configuration

In the end we have a configuration that looks something like this:

route outside 192.168.254.128 255.255.255.128 1.1.1.1
!
prefix-list VPN_PREFIX seq 1 permit 192.168.254.128/25
!
route-map VPN_POOL permit 1
 match ip address prefix-list VPN_PREFIX
!
router ospf 100
 redistribute static route-map VPN_POOL

The ASA will still show all of the /32 routes, plus the /25 route:

ASA# sh route | i 192.168.254
S    192.168.254.154 255.255.255.255 [1/0] via 1.1.1.1, Outside
S    192.168.254.128 255.255.255.128 [1/0] via 1.1.1.1, Outside

But routers inside the network will only see the /25 route:

RTR#sh ip route | i 192.168.254
O E2     192.168.254.128/25 [110/20] via 10.5.2.6, 01:45:03, Vlan85

I didn’t talk about modifying any of the OSPF metrics as the routes are being injected, but that would be something to consider if you do this in your environment.

7 thoughts on “Redistributing Anyconnect VPN addresses into OSPF on Cisco ASA

  1. Hello Brandon!

    I would liketo do something similar : advertse a /32 route in OSPF on ASA 8.2.
    If I use a route-map with an ACL it works well, as long as I’m advertising a /30 network :

    router ospf 1
    router-id X.X.X.A
    network X.X.X.B 255.255.255.248 area 0
    area 0 authentication message-digest
    log-adj-changes
    redistribute static metric 10 subnets route-map annonce_ospf_isp
    route-map annonce_ospf_isp permit 1
    match ip address redistribute_isp
    access-list redistribute_isp standard permit Y.Y.Y.C 255.255.255.252

    If I try to advertise a /32, the subnet does not show up in the OSPF database. So your solution appears to solve my problem. Howerver, it seems like I cannot use a prefix-list in a route-map Under ASA 8.2 :

    (config-route-map)# match ?
    route-map mode commands/options:
    interface Match first hop interface of route
    ip Match IP address or next-hop or route-source
    metric Match metric of route
    route-type Match route-type of route
    (config-route-map)# match ip ad
    (config-route-map)# match ip address ?
    route-map mode commands/options:
    WORD Access-list name
    (config-route-map)# match ip address

    Do you know of any way to achieve that Under ASA 8.2?

    Thank you!

    Reply

    • Hi Simon,

      Unfortunately I don’t have an 8.2 ASA to test this on, but have you tried changing your access-list to include only the /32 or host address? Something like ‘access-list redistribute_isp permit host Y.Y.Y.C’ ? Also, remember that you can only redistribute a route that already appears in your routing table. So if the route is really a /30, you would need to create a static route for the /32 that you wish to advertise.

      Hope that helps,

      Brandon

      Reply

  2. no need to add the external route, just match the prefix of your remote access vpn network (ravpn) and redistribute it in ospf..

    prefix-list ravpn seq 5 permit 192.168.30.0/24 le 32

    route-map static permit 20
    match ip address prefix-list ravpn

    router ospf 100
    redistribute connected subnets tag 100 route-map connected
    summary-address 192.168.30.0 255.255.255.0 tag 100

    Reply

  3. The static route is not needed for advertising the subnet. All you need to do is summarize it.

    prefix-list VPN_PREFIX seq 1 permit 192.168.254.128/25 le 32
    !
    route-map VPN_POOL permit 1
    match ip address prefix-list VPN_PREFIX
    !
    router ospf 100
    redistribute static subnets route-map VPN_POOL
    summary-address 192.168.254.128 255.255.255.128

    When someone/people sign on the the vpn only one route will appear in the routing table of router in the ospf domain:
    O E2 192.168.254.128/25 [110/1] via 1.1.1.1 , 00:19:26, GigabitEthernet0/0

    The ASA will still have each individual host route.

    Reply

  4. Hi,
    If the subnets keyword is not included in the redistribution (into ospf), only the classful networks are redistributed, how I know. How can we see this route?:
    RTR#sh ip route | i 192.168.254
    O E2 192.168.254.128/25 [110/20] via 10.5.2.6, 01:45:03, Vlan85

    Br,Levi

    Reply

  5. Pingback: Cisco ASA做AnyConnect服务器时的动态路由协议和NAT规则设置 | Drown in Codes

  6. Hello,

    Thank you for this insight. I have one question about the static route. Are we to point the static route to the outside interface public IP?

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s