06-01-2010 09:06 AM - edited 03-06-2019 11:22 AM
Hey guys.
I have an ASA connected directly into a 6509
the asa has the inside interface of 192.168.0.193/26 and a dmz interface of 172.16.20.1/24
I've brought a eigrp relationship between the two and the ASA can now see all the routes coming from the 6509 but the 6509 can't see the 172.16.20.0/24 network in the eigrp topology
Asa eigrp config is as follows
router eigrp 100
no auto-summary
network 192.168.0.192 255.255.255.192
network 172.16.20.0 255.255.255.0
sw-6509e-1#sh ip eigrp topology 172.16.20.0
% IP-EIGRP (AS 100): Route not in topology table
Anyone have any ideas?
06-01-2010 10:27 AM
b.rockburn wrote:
Hey guys.
I have an ASA connected directly into a 6509
the asa has the inside interface of 192.168.0.193/26 and a dmz interface of 172.16.20.1/24
I've brought a eigrp relationship between the two and the ASA can now see all the routes coming from the 6509 but the 6509 can't see the 172.16.20.0/24 network in the eigrp topology
Asa eigrp config is as follows
router eigrp 100
no auto-summary
network 192.168.0.192 255.255.255.192
network 172.16.20.0 255.255.255.0sw-6509e-1#sh ip eigrp topology 172.16.20.0
% IP-EIGRP (AS 100): Route not in topology tableAnyone have any ideas?
Brent
Your network masks are wrong ie. they should be inverse masks eg.
router eigrp 100
network 192.168.0.192 0.0.0.63
network 172.16.20.0 0.0.0.255
Jon
06-01-2010 10:29 AM
Hey Jon,
when I tried to do that on my ASA it says this
fw-miss-dr-can-asa5520-01(config-router)# network 192.168.0.193 0.0.0.63
% EIGRP: Invalid mask (discontiguous)
06-01-2010 10:34 AM
b.rockburn wrote:
Hey Jon,
when I tried to do that on my ASA it says this
fw-miss-dr-can-asa5520-01(config-router)# network 192.168.0.193 0.0.0.63
% EIGRP: Invalid mask (discontiguous)
Brent
Try "network 192.168.0.192 0.0.0.63"
Jon
06-01-2010 10:36 AM
fw-miss-dr-can-asa5520-01(config-router)# network 192.168.0.192 0.0.0.63
% EIGRP: Invalid mask (discontiguous)
when I do network 192.168.0.193 255.255.255.192 it takes it and yes changes it to 192.168.0.192 255.255.255.192
06-01-2010 10:37 AM
Brent
Just checked the ASA config guide and it looks like the ASA does use normal subnet masks and not inverse masks so please ignore me
Jon
06-01-2010 10:44 AM
Hi Brent
As per my understanding, you have connected ASA directly to 6509.
And Currently you have Inside, DMZ & Outside Network.
Can you please share the topology, so that can help us to know the network & issue?
You have connected ASA directly to 6509 & you are trying to run both DMZ & Inside Network on single cable. (Physical Cabling & Single Interface in ASA)
So you should configure ASA with VLAN (Sub -interface). One Will be DMZ layer 3 interface & One will be Inside Layer 3 Interface.(Below is Example )
ASA Configuration
interface GigabitEthernet0/0
description ***** Connected to 6509-I *****
no nameif
no security-level
no ip address
Outside Network
!
interface GigabitEthernet0/0.2
description ***** Connected to 6509-I - Server VLAN *****
vlan 2
nameif DMZ-Zone
security-level 50
ip address x.x.x.x x.x.x.x standby x.x.x.x
!
Inside Network
interface GigabitEthernet0/0.2
description ***** Connected to 6509-I Inside VLAN ****
vlan 140
nameif INSIDE-Zone
security-level 100
ip address x.x.x.x x.x.x.x standby x.x.x.x
6509 Switch Configuration
interface GigabitEthernet1/1
description ***** Connected To ASA-I *****
switchport trunk encapsulation dot1q
switchport mode trunk
In ASA you will use two physical interface one for Outside & One for Inside & DMZ ( Using Sub-Interface)
And the important thing is that the cable from ASA to 6509 should be trunk to pass multiple VLAN. (in 6509 you should configure trunk)
If your senario is else , Please let us know.
Regards
chetan Kumar
06-01-2010 10:56 AM
yes that portion of the configuration I have down there is no problem there.
The problem appears to be with EIGRP and the ASA, I'm not sure how the two should interact.
06-01-2010 11:19 AM
Hi Brent
Please refer the attach diagram .
The below config is for DMZ network. The Gateway for Server is ASA any request from server will come directly to ASA (to below interface ). Because we had configured trunk in 6509 and in 6509 we had configured Server VLAN (L2 VLAN) and all server ports as associated to Server VLAN .Trunk will pass this Server VLAN traffic to ASA and then ASA will reply to those Server.
interface GigabitEthernet0/0.2
description ***** Connected to 6509-I - Server VLAN *****
vlan 2
nameif DMZ-Zone
security-level 50
ip address X.X.X.X X.X.X.X standby X.X.X.X
And here you can see, this is management interface to communicate between ASA & 6509 were routing will be done to pass 6509 route to ASA. We had configured ASA with sub- Interface i.e VLAN 10 and assign ip address 1.1.1.1 & In switch we create layer 3 interface name as VLAN10 & assign IP add 1.1.1.2 . Switch ports is configured as trunk & trunk will pass request to ASA (VLAN 10 Traffic). So you can see that trunk will pass both VLAN information to ASA , So in same way it will communicated vice versa.
interface GigabitEthernet0/0.10
description ***** Connected to 6509-I Inside zone ****
vlan 10
nameif INSIDE-Zone
security-level 100
ip address 1.1.1.1 255.255.255.0
Switch configuration
interface vlan 10
ip add 1.1.1.2 255.255.255.0
interface GigabitEthernet1/1
description ***** Connected To ASA *****
switchport trunk encapsulation dot1q
switchport mode trunk
Regards
Chetan Kumar
06-18-2013 12:07 PM
I had same problem in ASA8.6, but resolved.
Kindly find the EIGRP specific configuration
Interface configuration
!
interface GigabitEthernet0/0
description Links to WAN Router
nameif OUTSIDE
security-level 50
ip address 10.1.1.4 255.255.255.192 standby 10.1.1.5
summary-address eigrp 100 10.1.0.0 255.255.0.0 1
!
Eigrp Protocol Confiuration
access-list eigrpACL_FR standard permit any
!
router eigrp 100
distribute-list eigrpACL_FR in interface OUTSIDE
neighbor 10.1.1.3 interface OUTSIDE
neighbor 10.1.1.2 interface OUTSIDE
network 10.1.1.0 255.255.255.192
redistribute connected
redistribute static
!
Regards,
Bhanu.
Note :If it resolves your problem flag it as Resolved.
06-18-2013 12:11 PM
I had same problem in ASA8.6, but resolved.
Kindly find the EIGRP specific configuration
Interface configuration
!
interface GigabitEthernet0/0
description Links to WAN Router
nameif OUTSIDE
security-level 50
ip address 10.1.1.4 255.255.255.192 standby 10.1.1.5
summary-address eigrp 100 10.1.0.0 255.255.0.0 1
!
Eigrp Protocol Confiuration
access-list eigrpACL_FR standard permit any
!
router eigrp 100
distribute-list eigrpACL_FR in interface OUTSIDE
neighbor 10.1.1.2 interface OUTSIDE
network 10.1.1.0 255.255.255.192
redistribute connected
redistribute static
!
Regards,
Bhanu.
Note : If it resolves youe issue , flag it as Resolved.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide