02-27-2012 12:58 PM - edited 03-05-2019 06:47 AM
I have an ASA 5520 connected to a Cisco 6509E, and we're turning up EIGRP between the two. The problem that I'm running into is that there a few static routes (including a 0.0.0.0) on the core that's being redistributed into the EIGRP AS, and I need to block this from being propagated to the ASA. The ASA only has the capability to use an ACL in conjunction with a distribute-list, and I can't find a way to filter the default route (0.0.0.0 /0), while allowing everything else.
Any suggestions?
Thanks!
Darren
02-27-2012 02:37 PM
I don't have an ASA that I can test, but you can try this:
access-list DenyDefault deny ip 0.0.0.0 0.0.0.0 (being an ASA, you may have to change this to 0.0.0.0 255.255.255.255)
access-list DenyDefault permit ip any any
router eigrp 100
distribute-list DenyDefault in
I would definitely make this change after hours since I'm not sure how this will affect it. The ACL syntax probably isn't right, but I don't have an ASA running eigrp.
02-28-2012 05:40 AM
Thanks for the reply j.blakley. I ended up denying the 0.0.0.0 host, and took it a step further with some RRI. Here's part of my codebase:
ASA5520STL01# sh run access-list
access-list Redistribute_Connected_Tunnels standard permit 192.168.12.48 255.255.255.240
access-list Redistribute_Connected_Tunnels standard permit 192.168.12.32 255.255.255.240
access-list Redistribute_Connected_Tunnels standard permit 192.168.3.80 255.255.255.240
access-list Redistribute_Connected_Tunnels standard permit 192.168.3.144 255.255.255.240
access-list Redistribute_Connected_Tunnels standard permit 192.168.12.64 255.255.255.240
access-list EIGRP_In_From_Core standard deny 192.168.3.80 255.255.255.240
access-list EIGRP_In_From_Core standard deny 192.168.3.144 255.255.255.240
access-list EIGRP_In_From_Core standard deny 192.168.12.0 255.255.255.0
access-list EIGRP_In_From_Core standard deny 192.168.3.0 255.255.255.0
access-list EIGRP_In_From_Core standard deny 192.168.0.0 255.255.0.0
access-list EIGRP_In_From_Core standard deny host 0.0.0.0
access-list EIGRP_In_From_Core standard permit any
ASA5520STL01# sh run crypto map
crypto map Outside_map 2 match address Outside_2_cryptomap
crypto map Outside_map 2 set peer X.X.X.X
crypto map Outside_map 2 set transform-set ESP-AES-128-MD5
crypto map Outside_map 2 set reverse-route
crypto map Outside_map 3 match address Outside_cryptomap
crypto map Outside_map 3 set peer X.X.X.X
crypto map Outside_map 3 set transform-set ESP-AES-128-MD5
crypto map Outside_map 3 set reverse-route
crypto map Outside_map 4 match address Outside_4_cryptomap
crypto map Outside_map 4 set peer X.X.X.X
crypto map Outside_map 4 set transform-set ESP-AES-128-SHA
crypto map Outside_map 4 set reverse-route
crypto map Outside_map 5 match address Outside_5_cryptomap
crypto map Outside_map 5 set peer X.X.X.X
crypto map Outside_map 5 set transform-set ESP-AES-128-SHA
crypto map Outside_map 5 set reverse-route
crypto map Outside_map interface Outside
ASA5520STL01# sh run router
router eigrp 100
no auto-summary
distribute-list EIGRP_In_From_Core in interface inside
network X.X.X.X X.X.X.X
passive-interface default
no passive-interface inside
redistribute static route-map Redistribute_Connected_Tunnels
ASA5520STL01# sh run route-map
route-map Redistribute_Connected_Tunnels permit 1
match ip address Redistribute_Connected_Tunnels
Working great now!
Darren
02-28-2012 06:53 AM
Good to hear!
Please rate helpful posts....
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: