Solved: Issues with VRF and EIGRP

Kemal Zuko · ‎02-18-2015

Hi All,

We are testing a new design for our new Data Center refresh project. In my current LAB I have 1 Cisco 3750e Layer 3 switch, one ASA 5520.

The ASA and the Cisco 3750 connect on a stick. I am using transit VRF's to connect the two together. As my routing protocol I am using EIGRP to establish connection between the two. The reason I have VRF's on the L3 switch is because I want the switch to be the gateway for all workstations, and there are multiple zones so to say.

DMZ network - 172.16.0.0/23

Inside Netework - 172.16.2.0/23

F5 Front Porch- 172.16.12.0/23

F5 Back porch (hosts behind the F5) - 172.16.13.0/24

I have attached a little diagram as well

The idea #1 behind all this is to have the DMZ and the Inside Networks be able to get to one another by being inspected by the ASA. That works

The #2 is that all hosts behind the F5 can get to DMZ and Inside hosts the same way (being inspected by ASA) That is also working

and the #3 is that DMZ and Inside hoists can get to the hosts behind the F5. That is NOT working.

As far as the confioguration here is what I have currently

---- SWITCH ----

Switch1# sh run
Building configuration...

version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
switch 1 provision ws-c3750x-48p
system mtu routing 1500
ip routing
!
ip vrf DMZ
description DMZ Users
!
ip vrf F5_Front
description Front-Porch-of-F5
!
ip vrf Inside
description Inside users
!

!
!
!
no ip domain-lookup
!

!
spanning-tree mode pvst
spanning-tree extend system-id
!

!
!
vlan internal allocation policy ascending
!

!
interface FastEthernet0
no ip address
no ip route-cache
!
interface GigabitEthernet1/0/1
description To ASA
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 450-454
switchport mode trunk
!
interface GigabitEthernet1/0/2
description Uplink to F5
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 120,122
switchport mode trunk
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
description Uplink to Node-Behind-F5
switchport access vlan 122
switchport mode access
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/47
switchport access vlan 162
spanning-tree portfast
!
interface GigabitEthernet1/0/48
switchport access vlan 160
spanning-tree portfast
!

interface Vlan1
no ip address
!
!
interface Vlan120
ip vrf forwarding F5_Front
ip address 172.16.12.1 255.255.255.0

!
interface Vlan160
ip vrf forwarding DMZ
ip address 172.16.0.1 255.255.254.0
!
interface Vlan162
description Inside
ip vrf forwarding Inside
ip address 172.16.2.1 255.255.254.0

!
interface Vlan450
description VRF_DMZ_P2P
ip vrf forwarding DMZ
ip address 172.16.250.1 255.255.255.248
!
interface Vlan451
description VRF_Inside_P2P
ip vrf forwarding Inside
ip address 172.16.250.9 255.255.255.248
!
interface Vlan454
description P2P_F5_Front
ip vrf forwarding F5_Front
ip address 172.16.250.33 255.255.255.248
!
!
router eigrp 99
!
address-family ipv4 vrf DMZ autonomous-system 99
network 172.16.0.0 0.0.1.255
network 172.16.250.0 0.0.0.7
passive-interface default
no passive-interface Vlan450
eigrp router-id 172.16.250.1
exit-address-family
!
address-family ipv4 vrf Inside autonomous-system 99
network 172.16.2.0 0.0.1.255
network 172.16.250.8 0.0.0.7
passive-interface default
no passive-interface Vlan451
eigrp router-id 172.16.250.9
exit-address-family
!
address-family ipv4 vrf F5_Front autonomous-system 99
redistribute static
network 172.16.12.0 0.0.0.255
network 172.16.13.0 0.0.0.255
network 172.16.250.32 0.0.0.7
passive-interface default
no passive-interface Vlan454
eigrp router-id 172.16.250.33
exit-address-family
network 172.16.0.0
eigrp router-id 172.16.0.1
!
!
ip http server
ip http secure-server
!
ip route vrf F5_Front 172.16.13.0 255.255.255.0 172.16.12.3
!
!
!
!
!
line con 0
logging synchronous
line vty 0 4
login
line vty 5 15
login
!
end

Switch1#

Switch1#sh ip route vrf DMZ

Routing Table: DMZ
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is not set

172.16.0.0/16 is variably subnetted, 8 subnets, 4 masks
C 172.16.0.0/23 is directly connected, Vlan160
L 172.16.0.1/32 is directly connected, Vlan160
D 172.16.2.0/23 [90/3328] via 172.16.250.2, 00:37:43, Vlan450
D 172.16.12.0/24 [90/3328] via 172.16.250.2, 00:37:42, Vlan450
C 172.16.250.0/29 is directly connected, Vlan450
L 172.16.250.1/32 is directly connected, Vlan450
D 172.16.250.8/29 [90/3072] via 172.16.250.2, 00:37:43, Vlan450
D 172.16.250.32/29 [90/3072] via 172.16.250.2, 00:37:43, Vlan450

Switch1#sh ip route vrf Inside

Routing Table: Inside
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is not set

172.16.0.0/16 is variably subnetted, 8 subnets, 4 masks
D 172.16.0.0/23 [90/3328] via 172.16.250.10, 00:37:49, Vlan451
C 172.16.2.0/23 is directly connected, Vlan162
L 172.16.2.1/32 is directly connected, Vlan162
D 172.16.12.0/24 [90/3328] via 172.16.250.10, 00:37:48, Vlan451
D 172.16.250.0/29 [90/3072] via 172.16.250.10, 00:37:49, Vlan451
C 172.16.250.8/29 is directly connected, Vlan451
L 172.16.250.9/32 is directly connected, Vlan451
D 172.16.250.32/29 [90/3072] via 172.16.250.10, 00:37:49, Vlan451

Switch1#sh ip route vrf F5_Front

Routing Table: F5_Front
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is not set

172.16.0.0/16 is variably subnetted, 9 subnets, 4 masks
D 172.16.0.0/23 [90/3328] via 172.16.250.34, 00:38:01, Vlan454
D 172.16.2.0/23 [90/3328] via 172.16.250.34, 00:38:01, Vlan454
C 172.16.12.0/24 is directly connected, Vlan120
L 172.16.12.1/32 is directly connected, Vlan120
S 172.16.13.0/24 [1/0] via 172.16.12.3
D 172.16.250.0/29 [90/3072] via 172.16.250.34, 00:38:01, Vlan454
D 172.16.250.8/29 [90/3072] via 172.16.250.34, 00:38:01, Vlan454
C 172.16.250.32/29 is directly connected, Vlan454
L 172.16.250.33/32 is directly connected, Vlan454
Switch1#

Switch1#sh ip eigrp vrf DMZ topology
EIGRP-IPv4 Topology Table for AS(99)/ID(172.16.250.1) VRF(DMZ)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status

P 172.16.250.32/29, 1 successors, FD is 3072
via 172.16.250.2 (3072/2816), Vlan450
P 172.16.250.0/29, 1 successors, FD is 2816
via Connected, Vlan450
P 172.16.2.0/23, 1 successors, FD is 3328
via 172.16.250.2 (3328/3072), Vlan450
P 172.16.250.8/29, 1 successors, FD is 3072
via 172.16.250.2 (3072/2816), Vlan450
P 172.16.0.0/23, 1 successors, FD is 2816
via Connected, Vlan160
P 172.16.12.0/24, 1 successors, FD is 3328
via 172.16.250.2 (3328/3072), Vlan450

Switch1#sh ip eigrp vrf Inside topology
EIGRP-IPv4 Topology Table for AS(99)/ID(172.16.250.9) VRF(Inside)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status

P 172.16.250.32/29, 1 successors, FD is 3072
via 172.16.250.10 (3072/2816), Vlan451
P 172.16.250.0/29, 1 successors, FD is 3072
via 172.16.250.10 (3072/2816), Vlan451
P 172.16.2.0/23, 1 successors, FD is 2816
via Connected, Vlan162
P 172.16.250.8/29, 1 successors, FD is 2816
via Connected, Vlan451
P 172.16.0.0/23, 1 successors, FD is 3328
via 172.16.250.10 (3328/3072), Vlan451
P 172.16.12.0/24, 1 successors, FD is 3328
via 172.16.250.10 (3328/3072), Vlan451

Switch1#
Switch1#sh ip eigrp vrf F5_Front topology
EIGRP-IPv4 Topology Table for AS(99)/ID(172.16.250.33) VRF(F5_Front)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status

P 172.16.250.32/29, 1 successors, FD is 2816
via Connected, Vlan454
P 172.16.250.0/29, 1 successors, FD is 3072
via 172.16.250.34 (3072/2816), Vlan454
P 172.16.2.0/23, 1 successors, FD is 3328
via 172.16.250.34 (3328/3072), Vlan454
P 172.16.250.8/29, 1 successors, FD is 3072
via 172.16.250.34 (3072/2816), Vlan454
P 172.16.0.0/23, 1 successors, FD is 3328
via 172.16.250.34 (3328/3072), Vlan454
P 172.16.12.0/24, 1 successors, FD is 2816
via Connected, Vlan120

Switch1#

Switch1# sh ip eigrp vrf DMZ neighbors
EIGRP-IPv4 Neighbors for AS(99) VRF(DMZ)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 172.16.250.2 Vl450 11 00:39:57 1 100 0 93
Switch1#
Switch1# sh ip eigrp vrf Inside neighbors
EIGRP-IPv4 Neighbors for AS(99) VRF(Inside)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 172.16.250.10 Vl451 12 00:40:22 1 100 0 92
Switch1#
Switch1# sh ip eigrp vrf F5_Front neighbors
EIGRP-IPv4 Neighbors for AS(99) VRF(F5_Front)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 172.16.250.34 Vl454 11 00:40:35 1 100 0 94
Switch1#

---- ASA ----

ciscoasa# sh run
: Saved
:
ASA Version 9.1(2)
!
hostname ciscoasa
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet0/0
description N/A
speed 1000
duplex full
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/0.450
description DMZ VRF Transit
vlan 450
nameif DMZ_P2P
security-level 80
ip address 172.16.250.2 255.255.255.248
!
interface GigabitEthernet0/0.451
description Inside VRF Transit
vlan 451
nameif Inside_P2P
security-level 100
ip address 172.16.250.10 255.255.255.248
!
interface GigabitEthernet0/0.454
vlan 454
nameif F5_Front
security-level 100
ip address 172.16.250.34 255.255.255.248
!
interface GigabitEthernet0/1
shutdown
no nameif
security-level 0
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
!
interface GigabitEthernet1/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
nameif outside
security-level 0
ip address dhcp setroute
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network DMZ
subnet 172.16.0.0 255.255.254.0
description 255.255.254.0
object network Inside
subnet 172.16.2.0 255.255.254.0
description 255.255.254.0
object network F5_Front
subnet 172.16.12.0 255.255.255.0
description Front Porch
object-group icmp-type DM_INLINE_ICMP_4
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object traceroute
access-list Inside_access_in extended permit tcp host 172.16.2.3 host 172.16.13.10 eq 3389
access-list Inside_access_in extended permit tcp host 172.16.2.3 host 172.16.0.3 eq 3389
access-list Inside_access_in extended permit ip any any
access-list DMZ_access_in extended permit tcp host 172.16.0.3 host 172.16.13.10 eq 3389
access-list DMZ_access_in extended permit ip any any
access-list F5_Front_access_in extended permit tcp host 172.16.13.10 host 172.16.0.3 eq 3389
access-list F5_Front_access_in extended permit ip any any
access-list P2P_Transient_F5_Behind_access_in extended permit icmp any any time-exceeded
access-list P2P_Transient_F5_Behind_access_in extended permit ip any any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu DMZ_P2P 1500
mtu Inside_P2P 1500
mtu VPN_DMZ_P2P 1500
mtu DD_P2P 1500
mtu F5_Front 1500
mtu MGMT 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 10 burst-size 5
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (F5_Front,Inside_P2P) source static F5_Front F5_Front destination static F5_Front F5_Front
nat (F5_Front,DMZ_P2P) source static F5_Front F5_Front destination static F5_Front F5_Front
access-group DMZ_access_in in interface DMZ_P2P
access-group Inside_access_in in interface Inside_P2P
access-group F5_Front_access_in in interface F5_Front
!
router eigrp 99
no auto-summary
eigrp router-id 172.18.36.3
network 172.16.250.0 255.255.255.248
network 172.16.250.8 255.255.255.248
network 172.16.250.32 255.255.255.248
!

timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL

no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map Trace
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:181ea09181ebdcc95538aa0421ed7630
: end
ciscoasa#

ciscoasa# sh eigrp topology

EIGRP-IPv4 Topology Table for AS(99)/ID(172.18.36.3)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status

P 172.16.250.0 255.255.255.248, 1 successors, FD is 2816
via Connected, GigabitEthernet0/0.450
P 172.16.250.8 255.255.255.248, 1 successors, FD is 2816
via Connected, GigabitEthernet0/0.451
P 172.16.250.32 255.255.255.248, 1 successors, FD is 2816
via Connected, GigabitEthernet0/0.454
P 172.16.12.0 255.255.255.0, 1 successors, FD is 3072
via 172.16.250.33 (3072/2816), GigabitEthernet0/0.454
P 172.16.0.0 255.255.254.0, 1 successors, FD is 3072
via 172.16.250.1 (3072/2816), GigabitEthernet0/0.450
P 172.16.2.0 255.255.254.0, 1 successors, FD is 3072
via 172.16.250.9 (3072/2816), GigabitEthernet0/0.451
ciscoasa#
ciscoasa# sh eigrp neighbors
EIGRP-IPv4 neighbors for process 99
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
2 172.16.250.33 Gi0/0.454 11 00:44:10 10 200 0 17
0 172.16.250.9 Gi0/0.451 14 00:44:11 13 200 0 22
1 172.16.250.1 Gi0/0.450 11 00:44:11 14 200 0 27
ciscoasa#
ciscoasa# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is 99.27.124.1 to network 0.0.0.0

C 1.1.1.0 255.255.252.0 is directly connected, outside
C 172.16.250.0 255.255.255.248 is directly connected, DMZ_P2P
C 172.16.250.8 255.255.255.248 is directly connected, Inside_P2P
C 172.16.250.16 255.255.255.248 is directly connected, VPN_DMZ_P2P
C 172.16.250.24 255.255.255.248 is directly connected, DD_P2P
C 172.16.250.32 255.255.255.248 is directly connected, F5_Front
D 172.16.12.0 255.255.255.0 [90/3072] via 172.16.250.33, 0:44:15, F5_Front
D 172.16.0.0 255.255.254.0 [90/3072] via 172.16.250.1, 0:44:16, DMZ_P2P
D 172.16.2.0 255.255.254.0 [90/3072] via 172.16.250.9, 0:44:16, Inside_P2P
C 172.18.36.0 255.255.255.0 is directly connected, MGMT
S 172.22.36.0 255.255.255.0 [1/0] via 172.18.36.1, MGMT
d* 0.0.0.0 0.0.0.0 [1/0] via 1.1.1.1, outside
ciscoasa#

----------- END ---------

When I do a traceroute from DMZ network (workstation 172.16.0.3) to Host behind the F5 172.16.13.10 my traceroute dies at the gateway of the Workstation 172.16.0.1.

I have never attempted this VRF design with EIGRP and a device that is not supporting EIGRP in my case the F5 load balancer.

All traffic from DMZ and Inside network should be forced to 172.16.12.3 which is the F5 Front side. From there the F5 knows hot to handle that traffic.

My packets are not getting out of the gateway so it never reaches the Front of the F5.

What am I missing here? Is this even possible?

Thanks in Advance

Jon Marshall · ‎02-18-2015

Just found an article that confirms you need a metric with EIGRP when you redistribute static within a VRF so I think that is your problem.

Jon

View solution in original post

Jon Marshall · ‎02-18-2015

The #2 is that all hosts behind the F5 can get to DMZ and Inside hosts the same way (being inspected by ASA) That is also working

It's quite a complicated setup so I may have missed something but are you sure about the above.

The inside, DMZ VRFs and the ASA have no knowledge of the 172.16.13.0/24 subnet so I can't see how the above is working.

The fact you can't traceroute from an inside or DMZ client to those hosts makes sense because there are no routes for that subnet in their VRF routing tables.

The only VRF that does know about that subnet is the F5_Front VRF.

Like I say I may have missed something but I can't see how 2 or 3 would work without routes.

Jon

Kemal Zuko · ‎02-18-2015

Hi Jon,

The #2 is working I just double checked. The host behind the F5 172.16.13.10 can RDP to ether DMZ 172.16.0.3 and Inside 172.16.2.3. When I block RDP access on the ASA the session drops. The reason that host behind the F5 can get there is because of the default route on the F5 that reads the following

0.0.0.0 0.0.0.0 172.16.12.1

So any traffic going out use the 172.16.12.1 gateway on the switch. In that case that is the F5_Front VRF.

And correct the other way around does not work because there are no routes, I am trying to figure out how to make this work full circle.

Jon Marshall · ‎02-18-2015

I don't think it's that simple.

Your 172.16.13.x hosts may have a route on the F5 to get out to the switch but when the traffic returns the destination IP is 172.16.13.x and so an inside or DMZ host couldn't route that traffic back because there are no routes.

So I don't think 2 is working as you expect.

Jon

Kemal Zuko · ‎02-18-2015

What would be a better test?

When I run wire shark I can see the 3 way TCP handshake being completed. I am testing only RDP session and some ICMP ping tests.

Jon Marshall · ‎02-18-2015

Well I am only saying I can't see how it works as you still need routes back to the 172.16.13.x subnet and we know they aren't there.

So I can't see how this is working unless you are doing NAT on the 172.16.13.x IPs to something else eg,, the 172.16.12.x F5 front door IPs in which case the return path would work.

Are you sure your F5 is not simply translating them to 172.16.12.x IPs ?

Where are you running the packet capture ?

If it is on the 172.16.13.x host you won't see that.

You would need to run it on the inside or DMZ host to see what IP it is.

Jon

Kemal Zuko · ‎02-18-2015

Joh,

You are right.

There is a SNAT that is 172.16.12.10 that my DMZ hosts sees. It does not see the 13.x network.

If I remove the sNAT it does not work.

Any ideas where I need more routes?

Jon Marshall · ‎02-18-2015

Good, because otherwise I would have had no idea what was going on :-)

You could add routes to the inside and DMZ VRFs but perhaps a simpler solution is to add a static route on the firewall for the 172.16.13.0/24 subnet with a next hop of the SVI IP address for vlan 454 on the switch.

Then redistribute this into EIGRP so the inside and DMZ VRFs receive the route.

All you are trying to do is get traffic to flow via the ASA so that may be the best place to do it.

Jon

Kemal Zuko · ‎02-18-2015

Joh,

Here is the command output

ciscoasa# sh eigrp topology all-links

EIGRP-IPv4 Topology Table for AS(99)/ID(172.18.36.3)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status

P 172.16.250.0 255.255.255.248, 1 successors, FD is 2816, serno 1
via Connected, GigabitEthernet0/0.450
P 172.16.250.8 255.255.255.248, 1 successors, FD is 2816, serno 2
via Connected, GigabitEthernet0/0.451
P 172.16.250.32 255.255.255.248, 1 successors, FD is 2816, serno 3
via Connected, GigabitEthernet0/0.454
P 172.16.12.0 255.255.255.0, 1 successors, FD is 3072, serno 20
via 172.16.250.33 (3072/2816), GigabitEthernet0/0.454
P 172.16.0.0 255.255.254.0, 1 successors, FD is 3072, serno 16
via 172.16.250.1 (3072/2816), GigabitEthernet0/0.450
P 172.16.2.0 255.255.254.0, 1 successors, FD is 3072, serno 18
via 172.16.250.9 (3072/2816), GigabitEthernet0/0.451
ciscoasa1#

and here is when I try to create a route for DMZ on the firewall

ciscoasa(config)# route DMZ_P2P 172.16.13.0 255.255.255.0 172.16.250.34
%Invalid next hop address, it belongs to one of our interfaces

Jon Marshall · ‎02-18-2015

The next hop would be 172.16.250.33 ie. the SVI on the switch.

But you shouldn't need to add that route because you are redistributing the static in your F5_Front VRF so that should get to the ASA.

I don't have anything to test with at the moment but before you add any routes to the ASA can you try -

1) under your EIGRP address family configuration on the switch for the F5_Front VRF remove the "network 172.16.13.0 0.0.0.255" statement as it is not doing anything

if that makes no difference and I suspect it won't then -

2) can you try adding a metric to the "redistribute static" statement. You shouldn't need a metric for statics but I'm wondering if because it is an address family that makes a difference.

Ideally you want that route to be sent to the ASA then all the routing is in place rather than having to add more routes to other devices.

In addition you may need some more NAT statements covering the 172.16.13.0/24 subnet on your ASA although you may not.

Sorry to be vague but I am still getting up to speed with post 8.3 NAT on ASAs :-)

Lets try and get the routing working first though.

Jon

Jon Marshall · ‎02-18-2015

Just found an article that confirms you need a metric with EIGRP when you redistribute static within a VRF so I think that is your problem.

Jon

Jon Marshall · ‎02-18-2015

Actually I just realised you are redistributing that static route for 172.16.13.0/24 in the F5_Front VRF so your ASA should receive that but it isn't.

Not sure why at present.

Can you post a "sh ip eigrp topology all-links" from the ASA (assuming that command works on the firewall).

Jon

Kemal Zuko · ‎02-18-2015

Joh,

You are right.

There is a SNAT that is 172.16.12.10 that my DMZ hosts sees. It does not see the 13.x network.

If I remove the sNAT it does not work.

Any ideas where I need more routes?

Kemal Zuko · ‎02-18-2015

Joh,

I Agree,

Ok here is what I got so far

router eigrp 99
!
address-family ipv4 vrf DMZ autonomous-system 99
network 172.16.0.0 0.0.1.255
network 172.16.250.0 0.0.0.7
passive-interface default
no passive-interface Vlan450
eigrp router-id 172.16.250.1
exit-address-family
!
address-family ipv4 vrf Inside autonomous-system 99
network 172.16.2.0 0.0.1.255
network 172.16.250.8 0.0.0.7
passive-interface default
no passive-interface Vlan451
eigrp router-id 172.16.250.9
exit-address-family
!
address-family ipv4 vrf F5_Front autonomous-system 99
redistribute static metric 56 100 255 1 1500
network 172.16.12.0 0.0.0.255
network 172.16.250.32 0.0.0.7
passive-interface default
no passive-interface Vlan454
eigrp router-id 172.16.250.33
exit-address-family
network 172.16.0.0
eigrp router-id 172.16.0.1
!
!
ip http server
ip http secure-server
!
ip route vrf F5_Front 172.16.13.0 255.255.255.0 172.16.12.3
!

and by adding those metrics everything is working without the sNAT's and with the sNAT's

I did have the following implemented for a while

--------------------------------

access-list 10 permit 172.16.13.0 0.0.0.255 log

!

route-map STATIC permit 10

match ip address 10

set metric 56 100 255 1 1500

set tag 2

address-family ipv4 vrf F5_Front autonomous-system 1

redistribute static route-map STATIC

----------------------------------------------------

That did not work well, although it was using the same metrics, that is where I gathered my existing metrics.

However I would like to Thank you for your time and help on this issue.

Kemal

Jon Marshall · ‎02-18-2015

Kemal

No problem, glad you got it working.

Jon