cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
628
Views
15
Helpful
7
Replies

ASA1100 CLI EIGRP- config return tunneled route to remote server...

GIVEN: Tunnel using local 1.1.1.1, and remote 2.2.2.2, is active between local LAN 172.16.5.0/24 and remote LAN 172.16.9.0/24

GOAL: Inject EIGRP advertisement on local ASA1100, so that returning RESPONSE communication from local server 172.16.5.55 reaches the initial 172.16.9.99 remote server that sent the initial GET request.

(The remote network is not using EIGRP. I believe this fact is irrelevant to this situation. Please inform me if it is relevant.)

Is the correct config simply...
ASA1100#router eigrp 1
ASA1100#network 172.16.9.0 255.255.255.0
...?

May you please assist with CLI config, syntax?

Thank you.

7 Replies 7

Richard Burts
Hall of Fame
Hall of Fame

2 observations:

1) we do not have enough information about your environment to give good advice about implementation details. In particular we do not know if the tunnel is a simple GRE tunnel, or a traditional ipsec tunnel using a crypto map, or an ipsec tunnel with VTI.

2) if the remote device is not running eigrp then I do not see how you can expect eigrp on your machine to inject a route for a subnet on the remote machine. Seems like a static route would be your best alternative.

HTH

Rick

Thank you for your reply.

After thinking this though, I agree with you!

This link is helpful-- Redistribute Static Route into EIGRP in Cisco IOS Router (mustbegeek.com)

Two questions...

GIVEN:
MY_ENTERPRISE server subnet= 172.16.4.0/24
MY_ENTERPRISE ROUTER1 inside interface= 172.16.5.1/24
MY_ENTERPRISE ROUTER1 L2L tunnel outside interface= 1.1.1.1/30
VENDOR1            ROUTER2 L2L tunnel outside interface= 2.2.2.2/30
VENDOR1            ROUTER2 inside interface= 172.16.9.1/24
VENDOR1            server subnet= 172.16.8.0/24

QUESTION 1: If the MY_ENTERPRISE server data must successfully travel to VENDOR1 servers, what is the correct static route creation & redistribute CLI config?
Is it?...

Router1(config)#ip route 172.16.8.0 255.255.255.0 2.2.2.2
Router1(config)#router eigrp 1
Router1(config-router)#redistribute static metric 10000 0 255 1 1500
________

QUESTION 2: What would be the architectural config solution if the VENDOR1 network 172.16.8.0/24 already existed in MY_ENTERPRISE?

Thank you!

@jmaxwellUSAF I am assuming you are using a policy based VPN. You could use Reverse Route Injection (RRI) to dynamically populate your routing table with the remote network(s), as defined in the crypto ACL. These routes can then be redistributed to other devices in your network.

crypto map <CRYPTO MAP NAME> <SEQ NO> set reverse-route 

 Example

If I input the below config, and nothing else, do you expect this routing task will be solved?

prefix-list VPN-NETWORKS-1 seq 10 permit 172.16.8.0/24
!
route-map VPN-ROUTES-1 permit 10
    match ip address prefix-list VPN-NETWORKS-1
!
router eigrp 1
    redistribute static subnets route-map VPN-ROUTES-1
!
crypto map VENDOR1-cryptomap-1 1 set reverse-route dynamic

Thank you!

@jmaxwellUSAF that configuration would advertise those remote VPN networks to the ASA's EIGRP neighbour (the core switch?).

Ok, I'm going to execute this config. If I confirm task success I'll close this thread.

Thank you!

As change from original post...

GIVEN:
MY_ENTERPRISE server subnet= 172.16.4.0/24
MY_ENTERPRISE ROUTER1 inside interface= 172.16.5.1/24
MY_ENTERPRISE ROUTER1 L2L tunnel outside interface= 1.1.1.1/30
VENDOR1            ROUTER2 L2L tunnel outside interface= 2.2.2.2/30
VENDOR1            ROUTER2 inside interface= 172.16.9.1/24
VENDOR1            server subnet= <<inside UNKNOWN subnet behind 172.16.19.0/24>>

QUESTION: Can I still configure routing so that MY_ENTERPRISE server subnet return traffic will reach vendor servers in UNKNOWN subnet?

What would one possible successful config look like? 

Thank you.

 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: