06-07-2011 08:57 PM - edited 03-11-2019 01:43 PM
Hi Guys currently we have folwoing config in aur ASA
router eigrp 90
no auto-summary
distribute-list intoout_route out interface outside
network 192.168.1.0 255.255.255.240
!
access-list intoout_route permit 192.168.0.0 255.255.0.0
Now this ASA is connected to a switch and then there is an internet router............the ASA can see all the routes from (EIGRP) from internet router but the internet router nor the switch can see any eigrp routes from this ASA.
The inside interface IP is 192.168.1.1 255.255.255.240
outside one is 192.168.1.10 255.255.255.240
can someone plz tell me as i am going nuts
:-(
06-08-2011 04:56 AM
So the ASA is receiving a route from a L3 device on it's inside interface for 192.168.0.0/16 is it ?
If it isn't then your config effectively would advertise nothing to the outside.
Jon
06-08-2011 04:31 PM
Thanks Jon for your reply......the conection is as under:
firewall conected to core switch (inside IP is 192.168.1.1 and swicth ip (routed port) is 192.168.1.14/28
ouside interface has ip of 192.168.1.17/28 (sorry for th elast post ip)
so eigrp is config
router eigrp 90
no auto-summary
distribute-list intoout_route out interface outside
network 192.168.1.0 255.255.255.240
!
access-list intoout_route permit 192.168.0.0 255.255.0.0
when i do sh eigrp nei
the firewall does show th eneibour outsode interface (interneyt router) and the firewall is getting all routes from internet router via eigrp
but when i check at internet router i am not getting a route of 192.168.1.0/28 why is that
in access-list i have added 192.168.0.0/16 so technically 192.168.1.0/28 shd be allowed under this
Thanks again
06-09-2011 04:25 AM
Couple of things -
1) i didn't notice yesterday but your acl is wrong, you need to be using a reverse mask so -
access-list intoout_route permit 192.168.0.0 255.255.0.0
should be
access-list intoout_route permit 192.168.0.0 0.0.255.255
2) from memory the access-list is used to describe specific matches ie. you have specificed 192.168.0.0/16. This does not mean anything that is covered by 192.168.0.0/16, such as 192.168.1.0/28 is also advertised because 192.168.1.0/28 is not an exact match. If you wanted to do that sort of thing you would need to use a prefix-list.
So if you want to advertise 192.168.1.0/28 to the internet router -
access-list intoout_route permit 192.168.1.0 255.255.255.240
3) You may instead want to simply advertise a summary route such as 192.168.0.0/16 ie. only this route gets to the internet router but that is okay as it would also cover 192.168.1.0/28. If you do then the ASA would need to receive this route from an internal router. You can't simply add a route in the distribute-list and expect it to be advertised if the ASA is not receiving that route.
Jon
06-09-2011 07:45 AM
Hi Jon
Thanks for your reply ....in ASA the access-list is oppsoite ...so subnet mask is used instaead of wild card mask
even in EIGRP that is the case.......its strange but thats how it works
:-)
06-09-2011 08:47 AM
Wow, i'm getting rusty. Yes of course, you are right, ASAs use standard subnet masks, my mistake.
But the rest is still relevant and why your internet router is not receiving any routes.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: