Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
528
Views
0
Helpful
0
Replies

EIGRP Through Transparent ASA

Steve Talbert
Level 1
Level 1

‎07-10-2018 02:40 PM - edited ‎02-21-2020 07:58 AM

I am trying to set up a test environment to see the feasibility of using a transparent ASA to perform access filtering of an AWS direct connect MPLS connection.  I am trying to set this up in a lab environment, so it is not exact, but close enough.

 

My environment - Core switches, Nexus 9504 switches

ASA - clustered 5585's in multi-context mode, with a new context set to transparent.

1921 router used to simulate the router that will terminate the MPLS.

 

I have created an SVI on each 9504 for vlan 811 and set up an HSRP gateway as follows:

 

switch A - vlan 811, 172.24.208.2/24, HSRP address 172.24.208.1

switch B - vlan 811, 172.24.208.3/24, HSRP address 172.24.208.1

The .1 address is active on A, standby on B.

 

There is also vlan 812 created as L2 only to be the outside of the firewall.  Both vlan 811 and 812 are in the trunk up to the ASA.

 

The context on the ASA has BVI1 created and 811 is the inside interface, 812 is the outside.  The BVI was given IP address 172.24.208.20/24.

 

The ASA currently as an ACL on the inside to permit EIGRP to 224.0.0.10 from 172.24.208.1-3, and an ACL on the outside to permit EIGRP to 224.0.0.10 from 172.24.208.50 (assigned to the 1921 router).

 

The 1921 router is holding IP address 172.24.208.50/24 and is physically connected to switch A on vlan 812.  It is configured with 2 loopback addresses for 172.24.209.1/24 and 172.24.210.1/24 and configured to redistribute those into EIGRP.

 

With this config in place, the EIGRP neighbor relationships will form on vlan 811 and the B switch will learn the routes for 172.24.209.0/24 and 172.24.210.0/24, but the A switch will learn them from B rather than the 1921.  the 1921 gets nothing from the Nexus switches although they are configured with route-maps to resdistribute static and connected routes that work to other devices.

 

Here is where it gets really weird.  If I shut down the HSRP on the B side, the A side keeps the neighbor relationship, but loses the routes because it can't learn them from the 1921.  If instead, I shut down the HSRP on the A side, the B side keeps the routes. 

 

If I move the connection to the 1921 from vlan 812 to 811, so it bypasses the firewall, it works as expected and forms the correct EIGRP relationship, and transfers routes, so it has to be the firewall causing the problem.

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card