When configuring an ASA for VPN tunnels I like to use the "Reverse Route Injection" feature. This feature automatically installs static routes to destinations defined in your Site-to-Site vpn profiles.

That makes it very easy to automatically inject routes to VPN sites into the routing protocol used on the internal network.

The way I've done it below is simple but powerful. Everytime a new Site-to-Site VPN comes up, the routes are automatically redistributed.

***Note - It was necessary to filter the default static route from the redistribution because it also points to the "outside" interface. The default static route is only for use in routing traffic that flows through this ASA. It must not be redistributed to the internal network.

Configuration:

access-list filter-default-static-route remark filter static default route from OSPF Redistribution
access-list filter-default-static-route standard deny host 0.0.0.0

route-map vpn-routes permit 10
match ip address filter-default-static-route

route-map vpn-routes permit 20
match interface outside
set metric-type type-2

router ospf 1
router-id 192.168.1.1
network 192.168.1.0 255.255.255.0 area 0
redistribute static subnets route-map vpn-route

....

---

Add this page to your favorite Social Bookmarking websites