2 posts tagged “cisco”

Here's my cool Pix/ASA trick of the day.  Take the following scenario:

I had a Pix with a sizable jumble of non-concurrent networks behind the inside interface. 192.168.1.0/24, 192.168.50.0/24, and so on.  For simplicity I had set a large static route to encompass them all.

pix# show route | i 192.168
S    192.168.0.0 255.255.0.0 [1/0] via 10.0.0.1, inside

At a later time I needed to establish a ipsec tunnel to a remote network with the internal address 192.168.10.0/24.  Because the address space overlaps with the static route, hosts on the Pix network were unable to route to the remote site.  They actually encountered a routing loop as the inside router (10.0.0.1) and the inside interface of the pix bounced traffic back and forth.

In order to fix the problem I had to let the crypto map for the new tunnel inject the remote sites route into the routing table.  The "reverse-route" argument enables this feature.

crypto map mymap 10 set peer 1.1.1.1
crypto map mymap 10 set transform-set 3DES
crypto map mymap 10 set reverse-route

So now when you look at the pix route table you'll see an entry for the remote site.

pix# show route | i 192.168
S    192.168.0.0 255.255.0.0 [1/0] via 10.0.0.1, inside
S    192.168.10.0 255.255.255.0 [1/0] via 2.2.2.2, outside 

After spending more than a few days troubleshooting this on a live production network, I thought I'd share.  If you're a network engineer troubleshooting a similar problem, hopefully Google brings you here for a quick fix before you open a support ticket.

FTOS 7.6.1 on Force10 hardware may not support mac masquerading when the mac address changes ports . When a mac address floats from one port to another, as it would during a Cisco ASA failover, the arp table is not updated.  In order to achieve this functionality you need to enable the following command in your switch config:

mac-address-table station-move refresh-arp

Problem solved.