Re: ASA1100 CLI EIGRP- config return tunneled route to remote server..

jmaxwellUSAF · ‎02-02-2023

GIVEN: Tunnel using local 1.1.1.1, and remote 2.2.2.2, is active between local LAN 172.16.5.0/24 and remote LAN 172.16.9.0/24

GOAL: Inject EIGRP advertisement on local ASA1100, so that returning RESPONSE communication from local server 172.16.5.55 reaches the initial 172.16.9.99 remote server that sent the initial GET request.

(The remote network is not using EIGRP. I believe this fact is irrelevant to this situation. Please inform me if it is relevant.)

Is the correct config simply...
ASA1100#router eigrp 1
ASA1100#network 172.16.9.0 255.255.255.0
...?

May you please assist with CLI config, syntax?

Thank you.

Richard Burts · ‎02-05-2023

2 observations:

1) we do not have enough information about your environment to give good advice about implementation details. In particular we do not know if the tunnel is a simple GRE tunnel, or a traditional ipsec tunnel using a crypto map, or an ipsec tunnel with VTI.

2) if the remote device is not running eigrp then I do not see how you can expect eigrp on your machine to inject a route for a subnet on the remote machine. Seems like a static route would be your best alternative.

HTH

Rick

jmaxwellUSAF · ‎02-06-2023

Thank you for your reply.

After thinking this though, I agree with you!

This link is helpful-- Redistribute Static Route into EIGRP in Cisco IOS Router (mustbegeek.com)

Two questions...

GIVEN:
MY_ENTERPRISE server subnet= 172.16.4.0/24
MY_ENTERPRISE ROUTER1 inside interface= 172.16.5.1/24
MY_ENTERPRISE ROUTER1 L2L tunnel outside interface= 1.1.1.1/30
VENDOR1 ROUTER2 L2L tunnel outside interface= 2.2.2.2/30
VENDOR1 ROUTER2 inside interface= 172.16.9.1/24
VENDOR1 server subnet= 172.16.8.0/24

QUESTION 1: If the MY_ENTERPRISE server data must successfully travel to VENDOR1 servers, what is the correct static route creation & redistribute CLI config?
Is it?...

Router1(config)#ip route 172.16.8.0 255.255.255.0 2.2.2.2
Router1(config)#router eigrp 1
Router1(config-router)#redistribute static metric 10000 0 255 1 1500
________

QUESTION 2: What would be the architectural config solution if the VENDOR1 network 172.16.8.0/24 already existed in MY_ENTERPRISE?

Thank you!

Rob Ingram · ‎02-06-2023

@jmaxwellUSAF I am assuming you are using a policy based VPN. You could use Reverse Route Injection (RRI) to dynamically populate your routing table with the remote network(s), as defined in the crypto ACL. These routes can then be redistributed to other devices in your network.

crypto map <CRYPTO MAP NAME> <SEQ NO> set reverse-route

Example

jmaxwellUSAF · ‎02-06-2023

If I input the below config, and nothing else, do you expect this routing task will be solved?

prefix-list VPN-NETWORKS-1 seq 10 permit 172.16.8.0/24
!
route-map VPN-ROUTES-1 permit 10
match ip address prefix-list VPN-NETWORKS-1
!
router eigrp 1
redistribute static subnets route-map VPN-ROUTES-1
!
crypto map VENDOR1-cryptomap-1 1 set reverse-route dynamic

Thank you!

Rob Ingram · ‎02-06-2023

@jmaxwellUSAF that configuration would advertise those remote VPN networks to the ASA's EIGRP neighbour (the core switch?).

jmaxwellUSAF · ‎02-06-2023

Ok, I'm going to execute this config. If I confirm task success I'll close this thread.

Thank you!

jmaxwellUSAF · ‎02-08-2023

As change from original post...

GIVEN:
MY_ENTERPRISE server subnet= 172.16.4.0/24
MY_ENTERPRISE ROUTER1 inside interface= 172.16.5.1/24
MY_ENTERPRISE ROUTER1 L2L tunnel outside interface= 1.1.1.1/30
VENDOR1 ROUTER2 L2L tunnel outside interface= 2.2.2.2/30
VENDOR1 ROUTER2 inside interface= 172.16.9.1/24
VENDOR1 server subnet= <<inside UNKNOWN subnet behind 172.16.19.0/24>>

QUESTION: Can I still configure routing so that MY_ENTERPRISE server subnet return traffic will reach vendor servers in UNKNOWN subnet?

What would one possible successful config look like?

Thank you.

ASA1100 CLI EIGRP- config return tunneled route to remote server...