cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
673
Views
6
Helpful
12
Replies

How to advertise the L2L remote subnet to local EIGRP LAN?

Hello.

Regarding a site-to-site tunnel with local ASA 5525, how do I advertise the tunnel remote

subnet 172.16.10.0/24

to my EIGRP local LAN?

1. (there are no interfaces with this subnet so Vanilla EIGRP doesnt work.)

2. Redistributing static route gives error...

ASA config)# route inside 172.16.10.0 255.255.255.0 172.16.99.1
ERROR: Invalid next hop address 172.16.99.1

 it matches our IP address
---


Thank you!

1 Accepted Solution

Accepted Solutions

Hello @jmaxwellUSAF ,

>> Essential fact-- Right now I am trying to get return traffic back through a tunnel sourced at a remote branch. The local endpoint server has a

default route

not through the remote branch, but asymmetrically through a different ASA local to the endpoint server. I need to tell this traffic to route to the remote branch, because that's the return path through the VPN, the only way to reach remote vendor

subnet 10.0.20.0/24

try to configure a static route on the outside of the ASA that handles the site to site policy based VPN like

route ouside 10.0.20.0 255.255.255.0 2.2.2.2

note if remote

peer 2.2.2.2

is not accepted use as next-hop the

default gateway IP address

and then try to redistribute it into EIGRP, but EIGRP has to be spoken by both ASA for this to make effect.

if I understand correctly the local server connects to an ASA that is not the one that manages the site to site VPN, so you need a L3 routed/routing path between the two ASAs ( and any device on the path like multilayer switches if any )  and also appropriate changes to NAT and to access-list as needed.

The use of EIGRP or static routes is a secondary aspect.

Hope to help

Giuseppe

 

View solution in original post

12 Replies 12

Richard Burts
Hall of Fame
Hall of Fame

What is 172.16.99.1? Is it perhaps the address of your outside interface? If so then change the static route to use the address of the connected device on the outside interface (perhaps 172.16.99.2?).

HTH

Rick

172.16.99.1 is the private IP

of the remote server at the other end of the L2L tunnel. The policy-based tunnel ACL has this 172.16.99.1 server in its config. 

(The L2L tunnel local source interface is 1.1.1.1 , The L2L tunnel remote source interface is 2.2.2.2)

The return L2L traffic needs to know how to route to this

172.16.99.0/24 subnet

How do I propagate this routing intent?

Thanks for additional information. But I am confused about the error

Invalid next hop address 172.16.99.1

it matches our IP address. If that is the address of a remote server how does it match an ASA address?

My second thought is to wonder why you want to advertise this subnet to your Lan? Doesn't the ASA advertise a

default route

to the Lan?

My third thought is that if you do need to advertise that subnet then change the next hop in the static route to be the next hop device connected to the outside interface.

And that leads me to wonder why you are using route inside? Would it not be better to do route outside (for a remote destination)?

HTH

Rick

Let's keep this simple...

The remote site to site LAN is 10.0.20.0 /24
The local LAN server is 10.0.10.0/24

There is no NAT config through the tunnel (there is an identity NAT statement).

Public IP sources of the

tunnel endpoints are 1.1.1.1, and 2.2.2.2.

INTENT: to tell

local LAN

how to get to

remote site subnet10.0.20.0/24

What is ASA5525, L2L endpoint config here to accomplish intent?

Thank you.

 

Use redistrubte static into eigrp.
Use route-map to filter the peer lan subnet.

(i try to enter this direct command, it fails--

ASA config)# route inside 172.16.10.0 255.255.255.0 172.16.99.1
ERROR: Invalid next hop address 172.16.99.1

 it matches our IP address)

how shall i construct the

rout map

What does it point to?

I see you have route based vpn not policy based.

Then try 

Static route to remote lan toward peer tunnel IP and redistrubte it into eigrp 

Redistrubte the vti tunnel subnet into eigrp

Through this all l3 device behind asa know how to reach remote lan and tunnel subnet.

This is policy based VPN. Clearly I'm confused. 

There does exist on the ASA5525 tunnel endpoint, an ACL that only tunnels the explicitly permitted endpoint traffic.

 

Essential fact-- Right now I am trying to get return traffic back through a tunnel sourced at a remote branch. The local endpoint server has a

default route

not through the remote branch, but asymmetrically through a different ASA local to the endpoint server. I need to tell this traffic to route to the remote branch, because that's the return path through the VPN, the only way to reach remote vendor

subnet 10.0.20.0/24

How does the Local server know how to reach the endpoint server?...

This is policy based VPN. Clearly I'm confused. 

If yes what is local and remote lan subnet 

 

local lan subnet= 10.0.10.0/24
remote lan subnet= 10.0.20.0/24

Hello @jmaxwellUSAF ,

>> Essential fact-- Right now I am trying to get return traffic back through a tunnel sourced at a remote branch. The local endpoint server has a

default route

not through the remote branch, but asymmetrically through a different ASA local to the endpoint server. I need to tell this traffic to route to the remote branch, because that's the return path through the VPN, the only way to reach remote vendor

subnet 10.0.20.0/24

try to configure a static route on the outside of the ASA that handles the site to site policy based VPN like

route ouside 10.0.20.0 255.255.255.0 2.2.2.2

note if remote

peer 2.2.2.2

is not accepted use as next-hop the

default gateway IP address

and then try to redistribute it into EIGRP, but EIGRP has to be spoken by both ASA for this to make effect.

if I understand correctly the local server connects to an ASA that is not the one that manages the site to site VPN, so you need a L3 routed/routing path between the two ASAs ( and any device on the path like multilayer switches if any )  and also appropriate changes to NAT and to access-list as needed.

The use of EIGRP or static routes is a secondary aspect.

Hope to help

Giuseppe

 

Giuseppe solved it!...

route ouside 10.0.20.0 255.255.255.0 2.2.2.2

Great work! Thank you Giuseppe!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: