topic Re: EIGRP routes in ASA in Network Security

EIGRP routes in ASA

The_guroo_2 — Mon, 11 Mar 2019 20:43:20 GMT

Hi Guys currently we have folwoing config in aur ASA

router eigrp 90

no auto-summary

distribute-list intoout_route out interface outside

network 192.168.1.0 255.255.255.240

access-list intoout_route permit 192.168.0.0 255.255.0.0

Now this ASA is connected to a switch and then there is an internet router............the ASA can see all the routes from (EIGRP) from internet router but the internet router nor the switch can see any eigrp routes from this ASA.

The inside interface IP is 192.168.1.1 255.255.255.240

outside one is 192.168.1.10 255.255.255.240

can someone plz tell me as i am going nuts

😞

EIGRP routes in ASA

Jon Marshall — Wed, 08 Jun 2011 11:56:45 GMT

So the ASA is receiving a route from a L3 device on it's inside interface for 192.168.0.0/16 is it ?

If it isn't then your config effectively would advertise nothing to the outside.

Jon

EIGRP routes in ASA

The_guroo_2 — Wed, 08 Jun 2011 23:31:26 GMT

Thanks Jon for your reply......the conection is as under:

firewall conected to core switch (inside IP is 192.168.1.1 and swicth ip (routed port) is 192.168.1.14/28

ouside interface has ip of 192.168.1.17/28 (sorry for th elast post ip)

so eigrp is config

router eigrp 90

no auto-summary

distribute-list intoout_route out interface outside

network 192.168.1.0 255.255.255.240

access-list intoout_route permit 192.168.0.0 255.255.0.0

when i do sh eigrp nei

the firewall does show th eneibour outsode interface (interneyt router) and the firewall is getting all routes from internet router via eigrp

but when i check at internet router i am not getting a route of 192.168.1.0/28 why is that

in access-list i have added 192.168.0.0/16 so technically 192.168.1.0/28 shd be allowed under this

Thanks again

Re: EIGRP routes in ASA

Jon Marshall — Thu, 09 Jun 2011 11:25:37 GMT

Couple of things -

1) i didn't notice yesterday but your acl is wrong, you need to be using a reverse mask so -

access-list intoout_route permit 192.168.0.0 255.255.0.0

should be

access-list intoout_route permit 192.168.0.0 0.0.255.255

2) from memory the access-list is used to describe specific matches ie. you have specificed 192.168.0.0/16. This does not mean anything that is covered by 192.168.0.0/16, such as 192.168.1.0/28 is also advertised because 192.168.1.0/28 is not an exact match. If you wanted to do that sort of thing you would need to use a prefix-list.

So if you want to advertise 192.168.1.0/28 to the internet router -

access-list intoout_route permit 192.168.1.0 255.255.255.240

3) You may instead want to simply advertise a summary route such as 192.168.0.0/16 ie. only this route gets to the internet router but that is okay as it would also cover 192.168.1.0/28. If you do then the ASA would need to receive this route from an internal router. You can't simply add a route in the distribute-list and expect it to be advertised if the ASA is not receiving that route.

Jon

EIGRP routes in ASA

The_guroo_2 — Thu, 09 Jun 2011 14:45:52 GMT

Hi Jon

Thanks for your reply ....in ASA the access-list is oppsoite ...so subnet mask is used instaead of wild card mask

even in EIGRP that is the case.......its strange but thats how it works

🙂

EIGRP routes in ASA

Jon Marshall — Thu, 09 Jun 2011 15:47:32 GMT

Wow, i'm getting rusty. Yes of course, you are right, ASAs use standard subnet masks, my mistake.

But the rest is still relevant and why your internet router is not receiving any routes.

Jon