Cisco ASA provides many advanced features to suit your site-to-site VPN implementations. These features include the following:
OSPF Updates over IPSec
As discussed in Chapter 6, "IP Routing," Open Shortest Path First (OSPF) uses multicast methodology to communicate with its neighbors. IPSec, on the other hand, does not allow encapsulation of the multicast traffic. Cisco ASA solves this problem by statically defining neighbors using the neighbor command, which sends unicast OSPF packets to the remote VPN peer. Refer to Chapter 6 for in-depth coverage of this feature.
Example 15-15 shows how to set up the outside interface as a nonbroadcast media and specify the remote VPN peer as the OSPF neighbor on the outside interface.
Example 15-15. OSPF Updates over IPSec
Chicago(config)# interface GigabitEthernet0/0 Chicago(config-if)# nameif outside Chicago(config-if)# security-level 0 Chicago(config-if)# ip address 22.214.171.124 255.255.255.224 Chicago(config-if)# ospf network point-to-point non-broadcast Chicago(config)# router ospf 1 Chicago(config-router)# network 126.96.36.199 255.255.255.255 area 0 Chicago(config-router)# neighbor 188.8.131.52 interface outside
The security Cisco ASA uses the outside interface as the source of the OSPF packets and the neighbor's IP address as the destination address. Verify that the crypto ACL includes an entry to encrypt packets from 184.108.40.206 to 220.127.116.11.
Reverse Route Injection
Reverse route injection (RRI) is a way to distribute remote network information into the local network with the help of a routing protocol. With RRI, the Cisco ASA automatically adds static routes to the routing table and then announces these routes to its neighbors on the private network using OSPF. To configure RRI, you simply set the crypto map instance for reverse route:
crypto map map-name seq-numset reverse-route
Figure 15-3 shows an IPSec topology that is using OSPF to propagate the remote private network information into the local LAN of the Chicago ASA.
Figure 15-3. Example of RRI in the ASA
Example 15-16 illustrates how RRI can be enabled on the ASA in Chicago as depicted in Figure 15-3.
Example 15-16. Configuration of Reverse Route Injection
Chicago(config)# crypto map IPSec_map 10 match address encrypt-acl Chicago(config)# crypto map IPSec_map 10 set peer 18.104.22.168 Chicago(config)# crypto map IPSec_map 10 set transform-set myset Chicago(config)# crypto map IPSec_map 10 set reverse-route
To check if the ASA is adding the remote network information in the routing table, type show route, as illustrated in Example 15-17.
Example 15-17. Routing Table on the ASA
Chicago# show route S 0.0.0.0 0.0.0.0 [1/0] via 22.214.171.124, outside C 192.168.10.0 255.255.255.0 is directly connected, inside C 126.96.36.199.0 255.255.255.224 is directly connected, outside S 192.168.30.0 255.255.255.0 [1/0] via 188.8.131.52, outside
If you see the static route for the remote private network in the routing table, the next step is to advertise it to local OSPF peers, as shown in Example 15-18.
Example 15-18. OSPF Configuration on the ASA
Chicago(config)# router ospf 10 Chicago(config-router)# network 192.168.10.0 255.255.255.0 area 0 Chicago(config-router)# redistribute static subnets
The internal router (Router1) will receive this route and install it in its routing table, as demonstrated in Example 15-19.
Example 15-19. Routing Table on a Router
Router1# show ip route C 192.168.10.0/24 is directly connected, Ethernet0 C 192.168.20.0/24 is directly connected, FastEthernet0 O E2 192.168.30.0/24 [110/20] via 192.168.10.1, 00:00:03, Ethernet0
Traditionally, the IPSec tunnels fail to pass traffic if there is a PAT device between the peers. Cisco ASA uses ESP which does not have any Layer 4 information. Thus a PAT device usually drops IPSec packets. To remedy this problem, Cisco drafted an IETF standard called NAT Traversal (NAT-T) to encapsulate the ESP packets into UDP port 4500 so that the PAT device knows how to translate the encrypted packets. NAT-T is dynamically negotiated if the following two conditions are met:
To enable NAT-T globally on the ASA, the command syntax is
isakmp nat-traversal [keepalives]
Keepalives range between 10 and 3600 seconds. If you don't specify the keepalive, the ASA uses 20 seconds as the default. In many cases, the NAT/PAT devices time out the UDP port 4500 entries if there is no active traffic passing through them. NAT-T keepalives are used so that the security Cisco ASA can send periodic keepalive messages to prevent the entries from timing out.
If NAT-T is globally enabled, and you do not want one of the peers to negotiate it, you can use the crypto map nat-t-disable command for that specific sequence number. The command syntax is
crypto map map-name seq-num set nat-t-disable
Example 15-20 illustrates how to disable NAT-T for a peer defined in sequence map 10.
Example 15-20. Disabling NAT-T for a Peer
Chicago(config)# crypto map IPSec_map 10 set nat-t-disable
Tunnel Default Gateway
A Layer 3 device typically has a default gateway that is used to route packets when the destination address is not found in the routing table. Tunnel default gateway, a concept first introduced in the VPN3000 concentrators, is used to route the packets if they reach the security Cisco ASA over an IPSec tunnel and if their destination IP address is not found in the routing table. The tunneled traffic can be either remote access or site-to-site VPN traffic. The tunnel default gateway next-hop address is generally the IP address of the inside router, Router1 (illustrated in Figure 15-3), or any Layer 3 device.
The tunnel default gateway feature is important if you do not want to define routes about your internal networks to the Cisco ASA and you rather want the tunneled traffic to be sent to the internal router for routing. To set up a tunnel default gateway, add the keyword tunneled to the statically configured default route. Example 15-21 shows the configuration of the Cisco ASA with the tunnel default gateway specified as 192.168.10.2, located on the inside interface.
Example 15-21. Tunnel Default Gateway Configuration
Chicago(config)# route inside 0.0.0.0 0.0.0.0 192.168.10.2 tunneled