12-15-2017 01:06 AM - edited 03-05-2019 09:39 AM
Hello,
I have ASA 5508X where i redistribute the EIGRP (company network) to BGP (vpn s2s networks - branches). On ASA i have tunnels beetwen sites with VTI with BGP routing. On EIGRP i have default routing to company network. Eigrp must redistribute default gateway to BGP and here is problem. On ASA i have static default routing to ISP provider, and default static routing from ASA is repleaced in EIGRP and next in BGP on ASA. How can i exclude the ASA static default routing from EIGRP and BGP on ASA? Route map? On BGP should be only default routing from EIGRP.
My configuration on ASA:
router eigrp 20 eigrp router-id 17.17.17.17 network 10.10.3.0 255.255.255.248 passive-interface default no passive-interface MENet redistribute bgp 65510 metric 1000 10 255 1 1500 ! router bgp 65510 bgp log-neighbor-changes bgp router-id 10.10.10.10 address-family ipv4 unicast neighbor 10.10.17.6 remote-as 65510 neighbor 10.10.17.6 timers 5 20 20 neighbor 10.10.17.6 activate neighbor 10.10.17.70 remote-as 65510 neighbor 10.10.17.70 timers 5 20 20 neighbor 10.10.17.70 activate neighbor 10.10.17.70 default-originate network 10.10.3.0 mask 255.255.255.0 network 10.10.17.0 mask 255.255.255.192 network 10.10.17.64 mask 255.255.255.192 bgp redistribute-internal redistribute eigrp 20 no auto-summary no synchronization exit-address-family route outside 0.0.0.0 0.0.0.0 213.216.110.XXX 1
Result of sh route on ASA, where is static default route is to ISP.
sh route eigrp Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, + - replicated route Gateway of last resort is 213.216.110.XXX to network 0.0.0.0 D 10.10.2.0 255.255.255.0 [90/28160256] via 10.10.3.1, 1d20h, MENet D 10.10.4.0 255.255.255.0 [90/1405440] via 10.10.3.1, 1w1d, MENet
sh route bgp Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, + - replicated route Gateway of last resort is 213.216.110.XXX to network 0.0.0.0 B 10.10.21.0 255.255.255.192 [200/0] via 10.10.17.70, 19:46:26 B 10.10.21.64 255.255.255.192 [200/0] via 10.10.17.6, 1d12h
Please help me.
12-15-2017 07:48 PM
12-16-2017 05:03 AM
Hello,
Thanks.I tested it and doesnt work.
I removed the static default routing from ASA:
route outside 0.0.0.0 0.0.0.0 213.216.110.XXX 1
And i added on ASA only routing directly to one site:
route outside 195.150.12.XX 255.255.255.248 213.216.110.XXX 1
And now i recieved correct default routing (D.EX) from EIGRP. It is correct default routing for me sites.
sh route eigrp Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, + - replicated route Gateway of last resort is 10.10.3.1 to network 0.0.0.0 D*EX 0.0.0.0 0.0.0.0 [170/26880512] via 10.10.3.1, 00:00:03, MENet D 10.10.2.0 255.255.255.0 [90/28160256] via 10.10.3.1, 3d00h, MENet
If i add default routing on ASA to ISP. My default routing D*EX is removed, and static default routing to ISP have higher priority. And gateway is reported from static.
sh route eigrp Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, + - replicated route Gateway of last resort is 213.216.110.XXX to network 0.0.0.0 D 10.10.2.0 255.255.255.0 [90/28160256] via 10.10.3.1, 3d00h, MENet
I need have two default routings. For vlans on ASA is required default static routing to ISP. For my VPN tunnels sites is required EIGRP D*EX defualt routing.
Can i limit it with route-maps?
12-16-2017 05:22 AM
12-16-2017 08:08 AM
Hello Francesco,
Thank you for your replay. I describe my problem again.
I have corporate network where have one default gateway. The default gateway is set on EIGRP. I want to connect two new branches to corporate network by ASA. I have ASA 5508X with 9.7 version. On ASA i configured VPN site to site to the new branches with VTI interfaces. VPN s2s its working.
ASA is connected to ISP provider with static default route to the internet on outside interface. On the ASA i have connected guests network, dmz, and corporate etc. ASA must have access to the internet.
On the second interface on ASA i configured access to the corpotate network: MENet. Because ASA 9.7 support only BGP with IPSEC tunnel i configured BGP for VPN sites.
On ASA i redistributed networks from EIGRP to BGP. All networks are redistributed without default network from EIGRP. Each site on VPN tunnel have to use default routing from corporate network (redistributed from EIGRP).
On ASA device, static default routing to ISP delete default routing from EIGRP. And here is the problem.
I tested: If i deleted default routing to ISP from ASA. The default routing from EIGRP correct redistribute default routing to VPN sites by EIGRP and next to BGP.
Problem is here: ASA delete eigrp default routing, because is set static default routing on ASA to ISP. I dont know why.
My configuration on ASA:
interface GigabitEthernet1/1 duplex full nameif outside security-level 0 ip address 213.216.110.XXX 255.255.255.248 interface GigabitEthernet1/8 description Corporate network speed 1000 duplex full nameif MENet security-level 100 ip address 10.10.3.2 255.255.255.248 authentication key eigrp 20 ***** key-id 1 authentication mode eigrp 20 md5 interface Tunnel10 description Branch2 nameif BRN-VPN ip address 10.10.17.5 255.255.255.192 tunnel source interface outside tunnel destination 89.235.31.XX tunnel mode ipsec ipv4 tunnel protection ipsec profile BRN_OFFICE ! interface Tunnel11 description Branch1 nameif LEG-VPN ip address 10.10.17.71 255.255.255.192 tunnel source interface outside tunnel destination 195.150.12.XX tunnel mode ipsec ipv4 tunnel protection ipsec profile BR_OFFICE route outside 0.0.0.0 0.0.0.0 213.216.110.XXX 1 router bgp 65510 bgp log-neighbor-changes bgp router-id 10.10.10.10 address-family ipv4 unicast neighbor 10.10.17.6 remote-as 65510 neighbor 10.10.17.6 description BRANCH2 neighbor 10.10.17.6 timers 5 20 20 neighbor 10.10.17.6 activate neighbor 10.10.17.70 remote-as 65510 neighbor 10.10.17.70 description BRANCH1 neighbor 10.10.17.70 timers 5 20 20 neighbor 10.10.17.70 activate neighbor 10.10.17.70 default-originate network 10.10.3.0 mask 255.255.255.0 network 10.10.17.0 mask 255.255.255.192 network 10.10.17.64 mask 255.255.255.192 bgp redistribute-internal redistribute eigrp 20 no auto-summary no synchronization exit-address-family ! router eigrp 20 eigrp router-id 17.17.17.17 network 10.10.3.0 255.255.255.248 passive-interface default no passive-interface MENet redistribute bgp 65510 metric 1000 10 255 1 1500 ! sh route eigrp Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, + - replicated route Gateway of last resort is 213.216.110.XXX to network 0.0.0.0 D 10.10.2.0 255.255.255.0 [90/28160256] via 10.10.3.1, 3d03h, MENet D 10.10.4.0 255.255.255.0 [90/1405440] via 10.10.3.1, 1w3d, MENet D 10.10.6.0 255.255.255.128 [90/1405440] via 10.10.3.1, 5d06h, MENet D 10.10.6.128 255.255.255.128 [90/1405440] via 10.10.3.1, 1w3d, MENet D 10.10.18.0 255.255.255.192 [90/1405184] via 10.10.3.1, 3d03h, MENet
If ASA have static default routing in sh route eigrp i see: "Gateway of last resort is 213.216.110.XXX to network 0.0.0.0" For the test, if i delete ISP static default route from ASA, default routing from EIGRP (D*EX) for VPN its working properly.
Let`s see:
sh route eigrp Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, + - replicated route Gateway of last resort is 10.10.3.1 to network 0.0.0.0 D*EX 0.0.0.0 0.0.0.0 [170/26880512] via 10.10.3.1, 00:00:06, MENet D 10.10.2.0 255.255.255.0 [90/28160256] via 10.10.3.1, 3d03h, MENet D 10.10.4.0 255.255.255.0 [90/1405440] via 10.10.3.1, 1w3d, MENet D 10.10.6.0 255.255.255.128 [90/1405440] via 10.10.3.1, 5d06h, MENet D 10.10.6.128 255.255.255.128 [90/1405440] via 10.10.3.1, 1w3d, MENet D 10.10.18.0 255.255.255.192 [90/1405184] via 10.10.3.1, 3d03h, MENet
Why the static default routing on ASA delete my EIGRP default roiting? Can i set it by route maps?
12-16-2017 01:07 PM
Hello,
I think problem is with metric beetwen static default routing on ASA - is 1 and metric default routing from EIGRP - is 70. Default static routing have value 1 and delete the default routing with metric 70.
My question is, if i delete the static routing to ISP from ASA, can i set the special route-map with default routing with next-hop to ISP gateway for outside interface? The static default routing on ASA to ISP is used only by outside interface.
12-16-2017 03:15 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide