VPN route redistribution on ASA

by Leave a Comment

This example will redistribute vpn traffic into your eigrp network.

1. Turn on reverse route for your crypto maps

crypto dynamic-map Outside_dyn_map 20 set reverse-route <– for a remote access VPN
crypto map Outside_map 1 set reverse-route  <– for a L2L tunnel

2. Make route map and define traffic

access-list VPN-Redistribute standard permit 10.222.222.0 255.255.255.128  <– VPN traffic
route-map Redistribute permit 5
match ip address VPN-Redistribute

3. Define eigrp process, including your inside network

router eigrp 10
network 10.254.254.0 255.255.255.224
redistribute static route-map Redistribute

Tracking on an ISR

by Leave a Comment

track 10 ip sla 10 reachability
delay down 5 up 5

ip sla 10
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0.100
threshold 30
timeout 3000
frequency 3
ip sla schedule 10 life forever start-time now
ip sla logging traps

ip route 0.0.0.0 0.0.0.0 192.168.100.252 track 10   <–install only when sla 10=true
ip route 0.0.0.0 0.0.0.0 172.26.100.2 100   <–otherwise use route with higher metric

sip redundancy

by Leave a Comment

In CUCM, sip redundancy is provided by either route groups/route lists or srv records.
The only method for sip redundancy on CME systems are srv records.

==================================
ip host losangeles.domain.com 216.82.225.202
ip host newyork.domain.com 216.82.224.202

ip host _sip._udp.sipgroup.domain.com srv 1 50 5060 losangeles.domain.com
ip host _sip._udp.sipgroup.domain.com srv 2 50 5060 newyork.domain.com

ip domain lookup
ip name-server 10.3.0.1
ip domain name domain.com

sip-ua
sip-server dns:sipgroup.domain.com
================================

This example will use los angeles all the time unless unreachable, then use new york,
If I were to set both priorities to 1, they would load balance. The 50 is weight, so you could set 60/40 or whatever..

tracking on a 3750 switch

by Leave a Comment

In this example, a route is installed when an address is NOT reachable..
Useful for backup routes, or automated turnups

ip sla 6
icmp-echo 8.8.8.8
timeout 500
frequency 3
ip sla schedule 6 life forever start-time now

track 101 ip sla 6 reachability
track 102 list boolean and
object 101 not

ip route 192.168.186.0 255.255.255.0 192.168.180.1 track 102

In this example, a route is installed when an address IS reachable.
ip sla 6
icmp-echo 8.8.8.8
timeout 500
frequency 3
ip sla schedule 6 life forever start-time now

track 101 ip sla 6 reachability

ip route 192.168.186.0 255.255.255.0 192.168.180.1 track 101

vmware historical reporting

by Leave a Comment

If you do not have vCenter and you want to be able to collect performance stats past 1 hour, this option is greyed out in the vSphere client, however turning this on is pretty easy:

  1. SSH to the host
  2. Open the file “vi /etc/vmware/hostd/config.xml”
  3. Find the <historicalStatsEnabled> tag under <statssvc> and make this true
  4. Run “services.sh restart”

your failsafe

by Leave a Comment

We’ve all had those oh-shit moments when changing an ip, duplex or making other changes and losing connection with a device that will end up costing someone a trip on site and possible downtime.

The best way I’ve found is to cover yourself with this command:

“reload in 5”

If everything goes according to plan, cancel the reload and write mem, but if not, you’ve minimized downtime.

asdm through vpn

by Leave a Comment

CSCtr16184

Ran into this bug in ASA 8.4 where access ASDM through vpn would not work, even through relevant management was correct and I was exempting my inside network from my vpn pool. The fix was adding “route lookup” to the end of the nat exemption.

nat (LAN,TWC) source static obj-10.2.0.0 obj-10.2.0.0 destination static obj-vpn obj-vpn route-lookup