ASA 5520 EIGRP Route Filtering

Darren Roback · ‎02-27-2012

I have an ASA 5520 connected to a Cisco 6509E, and we're turning up EIGRP between the two. The problem that I'm running into is that there a few static routes (including a 0.0.0.0) on the core that's being redistributed into the EIGRP AS, and I need to block this from being propagated to the ASA. The ASA only has the capability to use an ACL in conjunction with a distribute-list, and I can't find a way to filter the default route (0.0.0.0 /0), while allowing everything else.

Any suggestions?

Thanks!

Darren

John Blakley · ‎02-27-2012

I don't have an ASA that I can test, but you can try this:

access-list DenyDefault deny ip 0.0.0.0 0.0.0.0 (being an ASA, you may have to change this to 0.0.0.0 255.255.255.255)

access-list DenyDefault permit ip any any

router eigrp 100

distribute-list DenyDefault in

I would definitely make this change after hours since I'm not sure how this will affect it. The ACL syntax probably isn't right, but I don't have an ASA running eigrp.

HTH, John *** Please rate all useful posts ***

Darren Roback · ‎02-28-2012

Thanks for the reply j.blakley. I ended up denying the 0.0.0.0 host, and took it a step further with some RRI. Here's part of my codebase:

ASA5520STL01# sh run access-list

access-list Redistribute_Connected_Tunnels standard permit 192.168.12.48 255.255.255.240

access-list Redistribute_Connected_Tunnels standard permit 192.168.12.32 255.255.255.240

access-list Redistribute_Connected_Tunnels standard permit 192.168.3.80 255.255.255.240

access-list Redistribute_Connected_Tunnels standard permit 192.168.3.144 255.255.255.240

access-list Redistribute_Connected_Tunnels standard permit 192.168.12.64 255.255.255.240

access-list EIGRP_In_From_Core standard deny 192.168.3.80 255.255.255.240

access-list EIGRP_In_From_Core standard deny 192.168.3.144 255.255.255.240

access-list EIGRP_In_From_Core standard deny 192.168.12.0 255.255.255.0

access-list EIGRP_In_From_Core standard deny 192.168.3.0 255.255.255.0

access-list EIGRP_In_From_Core standard deny 192.168.0.0 255.255.0.0

access-list EIGRP_In_From_Core standard deny host 0.0.0.0

access-list EIGRP_In_From_Core standard permit any

ASA5520STL01# sh run crypto map

crypto map Outside_map 2 match address Outside_2_cryptomap

crypto map Outside_map 2 set peer X.X.X.X

crypto map Outside_map 2 set transform-set ESP-AES-128-MD5

crypto map Outside_map 2 set reverse-route

crypto map Outside_map 3 match address Outside_cryptomap

crypto map Outside_map 3 set peer X.X.X.X

crypto map Outside_map 3 set transform-set ESP-AES-128-MD5

crypto map Outside_map 3 set reverse-route

crypto map Outside_map 4 match address Outside_4_cryptomap

crypto map Outside_map 4 set peer X.X.X.X

crypto map Outside_map 4 set transform-set ESP-AES-128-SHA

crypto map Outside_map 4 set reverse-route

crypto map Outside_map 5 match address Outside_5_cryptomap

crypto map Outside_map 5 set peer X.X.X.X

crypto map Outside_map 5 set transform-set ESP-AES-128-SHA

crypto map Outside_map 5 set reverse-route

crypto map Outside_map interface Outside

ASA5520STL01# sh run router

router eigrp 100

no auto-summary

distribute-list EIGRP_In_From_Core in interface inside

network X.X.X.X X.X.X.X

passive-interface default

no passive-interface inside

redistribute static route-map Redistribute_Connected_Tunnels

ASA5520STL01# sh run route-map

route-map Redistribute_Connected_Tunnels permit 1

match ip address Redistribute_Connected_Tunnels

Working great now!

Darren

John Blakley · ‎02-28-2012

Good to hear!

Please rate helpful posts....

HTH, John *** Please rate all useful posts ***