05-16-2024 01:18 PM
Looking for recommendations for routing traffic from ASA back to router on "inside" network so we do not have to add static routes on systems. We recently added an ASR1001 to our "inside" network that routes traffic to Amazon thru a Megaport link that is established to AWS Direct Connect cloud. I add static routes to servers but we have a mix of equipment and I don't want to manually do this hundreds of times. The servers default route is the ASA, the ASA has a static route to the AWS networks back behind the ASR but none of the systems can reach it unless I specifically add the network to the routing table on the system. If I enable a routing protocol on the ASA, does anyone have an idea of the load increase it might add? Current we have a 5555 pair and processors runs consistently between 60 and 85%. If a routing protocol is feasible, which one would any of you recommend and why?
Thanks for your input!
05-16-2024 01:48 PM
85% it high
Light IGP is eigrp which can do some summary in device
MHM
05-16-2024 01:58 PM
ASA 5555 have good processor, for Open standard suggest OSPF always and configure default route so most of the routes learn automatically.
again it also need to understand why the load 85% is this expected, always go with stable code some of the bugs fixed and reduce the load of the CPU.
05-16-2024 02:53 PM
If we knew more about this environment we could offer better advice. How many routing devices are in this network? The OP mentions ASA and ASR1001. Are there other routing devices? How many networks/subnets are in this environment? Are there any routing devices that are not Cisco? If so then the obvious choice for protocol would be OSPF. If all Cisco then I would suggest EIGRP.
05-17-2024 11:02 AM
Thanks for the responses everyone, all very valuable and appreciated. To give more detail. We have all Cisco (2 LOL) for routing devices, literally only ASR 1001-X and ASA 5555 pair. Everything else networking wise are switches HP5700 (12) / HP5500 (5) and FortiSwitch (1). 150+ servers (Oracle DB's and Xen Hypervisors) Ton's of VM's and miscellaneous services running. There are 4 subnets that need to reach the AWS Direct connect environment.
Here is a drawing:
05-17-2024 11:54 AM
What are the major Gotchas to watch for if I enable eigrp on the ASA? I want to make sure I do not route default internet traffic in the wrong direction towards AWS-DC.
05-17-2024 05:59 PM - edited 05-17-2024 06:27 PM
ASA routing table. I am receiving routes from ASR>
Gateway of last resort is 65.203.136.1 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [5/0] via 65.203.136.1, outside-VZ
C 10.1.0.0 255.255.254.0 is directly connected, dmz
L 10.1.1.1 255.255.255.255 is directly connected, dmz
C 10.10.2.0 255.255.255.0 is directly connected, uat
L 10.10.2.1 255.255.255.255 is directly connected, uat
D EX 10.22.0.0 255.255.0.0 [170/3072] via 192.168.51.249, 00:02:10, inside
D EX 10.31.0.0 255.255.0.0 [170/3072] via 10.1.0.4, 00:02:10, dmz (why dmz?)
D EX 10.32.0.0 255.255.0.0 [170/3072] via 10.1.0.4, 00:02:10, dmz
D EX 10.33.0.0 255.255.0.0 [170/3072] via 10.1.0.4, 00:02:10, dmz
C 10.100.100.0 255.255.255.248 is directly connected, failover
L 10.100.100.1 255.255.255.255 is directly connected, failover
D EX 169.254.38.180 255.255.255.252 [170/3072] via 192.168.51.249, 00:02:11, inside
C 192.168.50.0 255.255.254.0 is directly connected, inside
L 192.168.50.1 255.255.255.255 is directly connected, inside
prod/pri/act#
ASA Config
router eigrp 1
neighbor 192.168.51.249 interface inside
network 10.1.0.0 255.255.254.0
network 10.10.2.0 255.255.255.0
network 192.168.50.0 255.255.254.0
passive-interface outside-CL
passive-interface outside-VZ
passive-interface outside-CX
ASA Show commands
prod/pri/act# sh eigrp topology
EIGRP-IPv4 Topology Table for AS(1)/ID(192.168.50.1)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 10.33.0.0 255.255.0.0, 1 successors, FD is 3072, tag is 64513
via 10.1.0.4 (3072/512), dmz
via 10.10.2.4 (3072/512), uat
via 192.168.51.249 (3072/512), inside
P 10.22.0.0 255.255.0.0, 1 successors, FD is 3072, tag is 64513
via 192.168.51.249 (3072/512), inside
via 10.10.2.4 (3072/512), uat
via 10.1.0.4 (3072/512), dmz
P 10.10.2.0 255.255.255.0, 1 successors, FD is 2816
via Connected, uat
via 192.168.51.249 (3072/512), inside
via 10.1.0.4 (3072/512), dmz
P 169.254.38.180 255.255.255.252, 1 successors, FD is 3072
via 192.168.51.249 (3072/512), inside
via 10.10.2.4 (3072/512), uat
via 10.1.0.4 (3072/512), dmz
P 10.1.0.0 255.255.254.0, 1 successors, FD is 2816
via Connected, dmz
via 10.10.2.4 (3072/512), uat
via 192.168.51.249 (3072/512), inside
P 192.168.50.0 255.255.254.0, 1 successors, FD is 2816
via Connected, inside
via 10.10.2.4 (3072/512), uat
via 10.1.0.4 (3072/512), dmz
P 10.32.0.0 255.255.0.0, 1 successors, FD is 3072, tag is 64513
via 10.1.0.4 (3072/512), dmz
via 10.10.2.4 (3072/512), uat
via 192.168.51.249 (3072/512), inside
P 10.31.0.0 255.255.0.0, 1 successors, FD is 3072, tag is 64513
via 10.1.0.4 (3072/512), dmz
via 10.10.2.4 (3072/512), uat
via 192.168.51.249 (3072/512), inside
prod/pri/act# sh eigrp ?
<1-65535> Autonomous System
events Events logged
interfaces interfaces
neighbors Neighbors
topology Select Topology
traffic Traffic Statistics
prod/pri/act# sh eigrp in
prod/pri/act# sh eigrp interfaces
EIGRP-IPv4 Interfaces for AS(1)
Xmit Queue Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes
uat 1 0 / 0 1592 0 / 1 7961 0
dmz 1 0 / 0 1 0 / 1 50 0
inside 1 0 / 0 1 0 / 1 50 0
prod/pri/act# sh eigrp nei
prod/pri/act# sh eigrp neighbors
EIGRP-IPv4 Neighbors for AS(1)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
2 10.10.2.4 uat 13 00:40:16 1592 5000 0 17
1 10.1.0.4 dmz 10 00:55:49 1 200 0 16
0 192.168.51.249 inside 11 01:35:29 1 200 0 15
prod/pri/act# sh eigrp tr
prod/pri/act# sh eigrp traffic
EIGRP-IPv4 Traffic Statistics for AS(1)
Hellos sent/received: 12978/2717
Updates sent/received: 16/13
Queries sent/received: 0/4
Replies sent/received: 4/0
Acks sent/received: 16/17
SIA-Queries sent/received: 0/0
SIA-Replies sent/received: 0/0
Hello Process ID: 2845826800
PDM Process ID: 2845827728
Socket Queue:
Input Queue: 0/2000/2/0 (current/max/highest/drops)
prod/pri/act#
I try and ping from a Win host on inside network that has only default route to asa, no response from ASR bgp interface 169.254.38.182 or anything else upstream
Windows IP Configuration
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::41f:2869:57d2:1c2f%12
IPv4 Address. . . . . . . . . . . : 192.168.50.92
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 192.168.50.1
C:\Users\jroy>ping 169.254.38.182
Pinging 169.254.38.182 with 32 bytes of data:
Reply from 192.168.50.92: Destination host unreachable.
Reply from 192.168.50.92: Destination host unreachable.
Reply from 192.168.50.92: Destination host unreachable.
Ping statistics for 169.254.38.182:
Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Control-C
^C
C:\Users\jroy>route print
===========================================================================
Interface List
12...de 02 ab 41 f5 b5 ......Realtek RTL8139C+ Fast Ethernet NIC
1...........................Software Loopback Interface 1
13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.50.1 192.168.50.92 276
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.50.0 255.255.254.0 On-link 192.168.50.92 276
192.168.50.92 255.255.255.255 On-link 192.168.50.92 276
192.168.51.255 255.255.255.255 On-link 192.168.50.92 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.50.92 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.50.92 276
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 192.168.50.1 Default
0.0.0.0 0.0.0.0 192.168.50.1 Default
===========================================================================
C:\Users\jroy>
ASR config:
router eigrp 1
default-metric 10000000 1 255 1 1500
network 10.1.0.0 0.0.1.255
network 10.10.2.0 0.0.0.255
network 192.168.50.0 0.0.1.255
redistribute bgp 64514
neighbor 192.168.50.1 TenGigabitEthernet0/0/1
!
router bgp 64514
bgp log-neighbor-changes
neighbor 169.254.38.181 remote-as 64513
neighbor 169.254.38.181 password 7 7777777
!
address-family ipv4
network 169.254.38.180 mask 255.255.255.252
network 192.168.50.0 mask 255.255.254.0
redistribute eigrp 1
neighbor 169.254.38.181 activate
exit-address-family
!
ip default-gateway 192.168.50.1
AWS-DC-RTR#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 8 subnets, 4 masks
C 10.1.0.0/23 is directly connected, TenGigabitEthernet0/0/1.4
L 10.1.0.4/32 is directly connected, TenGigabitEthernet0/0/1.4
C 10.10.2.0/24 is directly connected, TenGigabitEthernet0/0/1.35
L 10.10.2.4/32 is directly connected, TenGigabitEthernet0/0/1.35
B 10.22.0.0/16 [20/0] via 169.254.38.181, 1w4d
B 10.31.0.0/16 [20/0] via 169.254.38.181, 1w4d
B 10.32.0.0/16 [20/0] via 169.254.38.181, 1w4d
B 10.33.0.0/16 [20/0] via 169.254.38.181, 1w4d
169.254.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 169.254.38.180/30 is directly connected, TenGigabitEthernet0/0/0.2900
L 169.254.38.182/32 is directly connected, TenGigabitEthernet0/0/0.2900
C 192.168.50.0/23 is directly connected, TenGigabitEthernet0/0/1
192.168.51.0/32 is subnetted, 1 subnets
L 192.168.51.249 is directly connected, TenGigabitEthernet0/0/1
AWS-DC-RTR#
I see no routes learned from ASA on ASR
05-18-2024 05:28 AM
ASA
router eigrp 1
neighbor 192.168.51.249 interface inside
network 10.1.0.0 255.255.254.0 <<- DMZ form neighbor with ASR via DMZ interface you dont config it as passive 
network 10.10.2.0 255.255.255.0
network 192.168.50.0 255.255.254.0
passive-interface outside-CL
passive-interface outside-VZ
passive-interface outside-CX
ASR
router eigrp 1
default-metric 10000000 1 255 1 1500
network 10.1.0.0 0.0.1.255
network 10.10.2.0 0.0.0.255
network 192.168.50.0 0.0.1.255
redistribute bgp 64514
neighbor 192.168.50.1 TenGigabitEthernet0/0/1
MHM
05-19-2024 02:14 PM
Forgive me, I don't understand. Are you saying I should set dmz interface as passive?
prod/pri/act(config)# router eigrp 1
prod/pri/act(config-router)# passive-interface ?
router_eigrp_classic mode commands/options:
Current available interface(s):
default Suppress routing updates on all interfaces
dmz Name of interface Port-channel1
inside Name of interface Port-channel2
outside-CL Name of interface GigabitEthernet0/0
outside-CX Name of interface GigabitEthernet0/6
outside-VZ Name of interface GigabitEthernet0/1
uat Name of interface GigabitEthernet0/6.1
prod/pri/act(config-router)#
05-19-2024 09:02 PM
Yes friend
The ASA connect to ASR via inside and dmz and asa eigrp prefer dmz over inside to learn prefix.
You can make dmz as passive and this make asa prefer inside to learn prefix ftom asr.
MHM
05-20-2024 12:26 PM
OK, that worked. Now I am experiencing another issue. I am unable to ping a host up stream from ASA. Traceroute from a windows machine says it is there, but ping from same windows gives the following. 
C:\Users\jroy>tracert -d 10.32.0.1
Tracing route to 10.32.0.1 over a maximum of 30 hops
1 1 ms * 1 ms 192.168.50.1
2 2 ms 1 ms 2 ms 192.168.51.249
3 29 ms 29 ms 29 ms 169.254.38.181
4 ^C
C:\Users\jroy>ping 169.254.38.181
Pinging 169.254.38.181 with 32 bytes of data:
Reply from 192.168.50.92: Destination host unreachable.
Reply from 192.168.50.92: Destination host unreachable.
Reply from 192.168.50.92: Destination host unreachable.
Ping statistics for 169.254.38.181:
Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Control-C
^C
C:\Users\jroy>
C:\Users\jroy>
C:\Users\jroy>tracert -d 169.254.38.181
Tracing route to 169.254.38.181 over a maximum of 30 hops
1 192.168.50.92 reports: Destination host unreachable.
Trace complete.
C:\Users\jroy>
C:\Users\jroy>tracert -d 169.254.38.181
Tracing route to 169.254.38.181 over a maximum of 30 hops
1 192.168.50.92 reports: Destination host unreachable.
Trace complete.
C:\Users\jroy>
05-20-2024 12:31 PM
You ping to ASA from PC
Or you ping to PC from ASA
MHM
05-21-2024 08:52 AM
Ping to host on AWS from PC. Default route on PC is to ASA, ASA has routes to AWS hosts
05-21-2024 03:03 PM
I have been away from this discussion for several days and need to catch up. But first I want to commend about this post which attempts to ping/tracert to 169.254.38.181. Ping or tracert to this address will not work. Network 169.254 is a reserved network. There are no routes to this network. A device might use that address as a source in its response to your trace. But as a destination address it will NOT work.
I am not sure what the issues here are, but do not spend any more time wondering about access to 169.254.
05-20-2024 01:12 PM
The original goal is to allow hosts on my three subnets (3 diff vlans) to reach all the way back into the AWS network thru the ASR 1001 without placing static routes on each host. Did my understanding get this totally wrong? 
TIA
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide