eigrp between asa and router

pamirian76 · ‎02-06-2014

hi,

I have this 5520 and a router.

the asa is a vpn endpoit so let's assume 10 vpns terminate there so the asa has 10 different static routes due to the vpn.

I want to advertise these 10 routes into my core router instead of putting manual static entries in my core.

so asa has 10 x 10.50.0.0/24 subnets so let's say 10.50.0.0, 10.50.1.0, 10.50.2.0 and so on.

this is my config in the asa,

access-list EIGRP-DISTRIBUTE-LIST-IN standard deny any

access-list EIGRP-DISTRIBUTE-LIST-OUT standard permit 10.50.0.0 255.255.0.0

access-list EIGRP-DISTRIBUTE-LIST-OUT standard deny any

router eigrp 77

no auto-summary

distribute-list EIGRP-DISTRIBUTE-LIST-OUT out interface inside

distribute-list EIGRP-DISTRIBUTE-LIST-IN in interface inside

network 10.50.0.0 255.255.0.0

network 10.100.100. 255.255.255.0

passive-interface default

redistribute static

so basically I want to send the spoke vpn subnets into my core router. I want no routes from the core.

so when I do on the core, show ip route eigrp 77 I only see 1 route to 10.50.0.0/16 but yet I say to the asa not to summeraize.

this is my config in my core,

access-list 77 deny any

router eigrp 77

distribute-list 77 out GigabitEthernet0/0/1

network 10.0.0.0

passive-interface default

no passive-interface GigabitEthernet0/0/1

thanks for any help.

Jon Marshall · ‎02-06-2014

You are only allowing that specific network to be advertised out to the core with your distribute list.

The acl will do a specific match on the prefix and the mask used. If you want to advertise just the subnets and not the summary address then you would need to modify your acl and have one entry per subnet and not include the summary address as an entry.

Jon

pamirian76 · ‎02-06-2014

I don't know...

I ran a test on 9.x version of ASA with a 1811 router

did this setup on the asa.

interface GigabitEthernet0/2

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2.1

vlan 11

nameif DMZ1

security-level 0

ip address 10.64.0.1 255.255.255.224

!

interface GigabitEthernet0/2.2

vlan 12

nameif DMZ2

security-level 0

ip address 10.64.0.33 255.255.255.224

!

interface GigabitEthernet0/2.3

vlan 13

nameif DMZ3

security-level 0

ip address 10.64.0.65 255.255.255.224

!

interface GigabitEthernet0/2.4

vlan 14

nameif DMZ4

security-level 0

ip address 10.64.0.97 255.255.255.224

!

interface GigabitEthernet0/2.5

vlan 15

nameif DMZ5

security-level 0

ip address 10.64.0.129 255.255.255.224

then I ran eigrp between the asa and router.

here is the setup on the asa,

router eigrp 77

no auto-summary

distribute-list EIGRP-DISTRIBUTE-LIST-OUT out interface inside

distribute-list EIGRP-DISTRIBUTE-LIST-IN in interface inside

network 10.0.0.0 255.0.0.0

passive-interface default

no passive-interface inside

redistribute static

access-list EIGRP-DISTRIBUTE-LIST-IN standard deny any4

access-list EIGRP-DISTRIBUTE-LIST-OUT standard permit 10.64.0.0 255.255.0.0

access-list EIGRP-DISTRIBUTE-LIST-OUT standard permit 10.65.0.0 255.255.0.0

access-list EIGRP-DISTRIBUTE-LIST-OUT standard deny any4

this worked just fine, on the cisco router when I do a show route I see all the 10.64.x.x networks and not just 10.64.0.0/16

(wonder if it's something with the ASA version... on this one I run 9.x on the other one I run 8.2).

Jon Marshall · ‎02-06-2014

Maybe i'm wrong then but usually with an acl it is a specific match ie. if you wanted to include the subnets as well you would use a prefix list.

I noticed in your original configuration you had not added the "no passive-interface inside" command but i assumed that was just a typo as the core switch was getting the summary route.

Jon