02-02-2023 07:35 AM - edited 02-02-2023 07:53 AM
GIVEN: Tunnel using local 1.1.1.1, and remote 2.2.2.2, is active between local LAN 172.16.5.0/24 and remote LAN 172.16.9.0/24
GOAL: Inject EIGRP advertisement on local ASA1100, so that returning RESPONSE communication from local server 172.16.5.55 reaches the initial 172.16.9.99 remote server that sent the initial GET request.
(The remote network is not using EIGRP. I believe this fact is irrelevant to this situation. Please inform me if it is relevant.)
Is the correct config simply...
ASA1100#router eigrp 1
ASA1100#network 172.16.9.0 255.255.255.0
...?
May you please assist with CLI config, syntax?
Thank you.
02-05-2023 11:21 PM
2 observations:
1) we do not have enough information about your environment to give good advice about implementation details. In particular we do not know if the tunnel is a simple GRE tunnel, or a traditional ipsec tunnel using a crypto map, or an ipsec tunnel with VTI.
2) if the remote device is not running eigrp then I do not see how you can expect eigrp on your machine to inject a route for a subnet on the remote machine. Seems like a static route would be your best alternative.
02-06-2023 06:53 AM - edited 02-06-2023 07:49 AM
Thank you for your reply.
After thinking this though, I agree with you!
This link is helpful-- Redistribute Static Route into EIGRP in Cisco IOS Router (mustbegeek.com)
Two questions...
GIVEN:
MY_ENTERPRISE server subnet= 172.16.4.0/24
MY_ENTERPRISE ROUTER1 inside interface= 172.16.5.1/24
MY_ENTERPRISE ROUTER1 L2L tunnel outside interface= 1.1.1.1/30
VENDOR1 ROUTER2 L2L tunnel outside interface= 2.2.2.2/30
VENDOR1 ROUTER2 inside interface= 172.16.9.1/24
VENDOR1 server subnet= 172.16.8.0/24
QUESTION 1: If the MY_ENTERPRISE server data must successfully travel to VENDOR1 servers, what is the correct static route creation & redistribute CLI config?
Is it?...
Router1(config)#ip route 172.16.8.0 255.255.255.0 2.2.2.2
Router1(config)#router eigrp 1
Router1(config-router)#redistribute static metric 10000 0 255 1 1500
________
QUESTION 2: What would be the architectural config solution if the VENDOR1 network 172.16.8.0/24 already existed in MY_ENTERPRISE?
Thank you!
02-06-2023 08:14 AM - edited 02-06-2023 08:24 AM
@MicJameson1 I am assuming you are using a policy based VPN. You could use Reverse Route Injection (RRI) to dynamically populate your routing table with the remote network(s), as defined in the crypto ACL. These routes can then be redistributed to other devices in your network.
crypto map <CRYPTO MAP NAME> <SEQ NO> set reverse-route
02-06-2023 08:53 AM
If I input the below config, and nothing else, do you expect this routing task will be solved?
prefix-list VPN-NETWORKS-1 seq 10 permit 172.16.8.0/24
!
route-map VPN-ROUTES-1 permit 10
match ip address prefix-list VPN-NETWORKS-1
!
router eigrp 1
redistribute static subnets route-map VPN-ROUTES-1
!
crypto map VENDOR1-cryptomap-1 1 set reverse-route dynamic
Thank you!
02-06-2023 09:22 AM
@MicJameson1 that configuration would advertise those remote VPN networks to the ASA's EIGRP neighbour (the core switch?).
02-06-2023 10:00 AM
Ok, I'm going to execute this config. If I confirm task success I'll close this thread.
Thank you!
02-08-2023 05:35 PM
As change from original post...
GIVEN:
MY_ENTERPRISE server subnet= 172.16.4.0/24
MY_ENTERPRISE ROUTER1 inside interface= 172.16.5.1/24
MY_ENTERPRISE ROUTER1 L2L tunnel outside interface= 1.1.1.1/30
VENDOR1 ROUTER2 L2L tunnel outside interface= 2.2.2.2/30
VENDOR1 ROUTER2 inside interface= 172.16.9.1/24
VENDOR1 server subnet= <<inside UNKNOWN subnet behind 172.16.19.0/24>>
QUESTION: Can I still configure routing so that MY_ENTERPRISE server subnet return traffic will reach vendor servers in UNKNOWN subnet?
What would one possible successful config look like?
Thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide