cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
442
Views
0
Helpful
3
Replies

EIGRP through asa on metroE

Preston Kilburn
Level 1
Level 1

Greetings all.  I currently have two routers that have connections over frame relay using 172.20.x.x ip addresses.  The remote offices connect to a central 2811 router.  The field routers are 1841's.  

Due to hardware issues (lack of ethernet ports and unavailability to get a new router in the next few months) - I need to move the routers to the new metro ethernet connection from our service provider.  It is a flat layer 2 connection to two remote sites.  I would like to migrate these remote sites to a connection on the ASA and have it participate in eigrp (the process is 14).  Layer 2/3 works great over the metro-e, however they have a BOATLOAD of static routes redistributed into EIGRP from third party firewalls and vpn's etc (hence no possibility of adding metro-E to the router because there are literally no ethernet ports possible to add in this model).

On my first go at it connecting EIGRP AS 14 brings up connectivity to the remote locations brings up the neighbor relations and then I lose connectivity to them but I can ping from the firewall still.

I'm wondering if there are weird ARP caches or something I can wait to clear or if this is just a bad idea and won't work at all?

I currently have the networks configured as: 

routers (currently works over FR):

router eigrp 14

network 172.20.0.0

network 172.30.0.0

no auto

(int's FA ip addresses are all in 172.20 or 172.30 subnets and ping fine now)

----ASA 5510----

eth0/3

ip address 172.30.30.1/24

router eigrp 14

network 172.20.0.0

network 172.30.0.0

no auto

 

I am wondering if I might need to turn off split horizon on this thing because I have two (soon to be 8) neighbors off of this interface??

 

3 Replies 3

jpl861
Level 4
Level 4
Not sure if I understood your question as it is a bit unclear but have you checked your firewall rules if they are allowing all traffic to pass through the ASA?

Yes, it does allow.  Since it is a metro E I set the security level at 100, set it to allow IP any any (it's our equipment - it could be tightened down at a later date, but for now I just need connectivity.  And I have made sure that traffic can flow from areas with the same security level.

Interfaces with the same security level are not allowed to pass through by default. You wull need to add the command same-security-traffic permit inter-interface.
Review Cisco Networking for a $25 gift card