okay, so the ASA does not need to have an interface in the network that it is advertizing in EIGRP?   I can just specify the networks within the EIGRP instance?  Also how do I stop remote peers from sending me EIGRP information?

Hi,

Yes, as far as I know you have to have an  asa  interface adjacent to a device that is doing eigrp ,  now I am a little confused,  If you have basic  net diagram that will help,  if I understand your original  post you have several tunnels terminating on your ASA firewall (outside) interface, my understanding of your reques is that those far end VPN subnets comming into your firewall  you have to statically enter them  in your CORE  switch so that your internal network knows which gateway to use ( the ASA)  to get to the far end subnets through the ipsec tunnel is this correct?  if so in that case if you want to prevent static routing  on your CORE   you have make  the ASA firewal participate in routing from your inside so that you can either use static route in your firewall and redistribute by eigrp and  dynamicall propagate those VPN subnest you have comming into your firewall ..  please correct me if I have missunderstood your quirements.

Regards

The remote network is 1.1.1.1/24 the local network is 2.2.2.2/24  The local VPN device is 2.2.2.3/24 (inside interface).  Currently the core switch (2.2.2.4) has a static route that says 1.1.1.1 is reachable via 2.2.2.2.

I want to be able to have the ASA to announce it is the gateway for 1.1.1.1 using EIGRP so that the static route can be removed from the core switch

As previously indicated your ASA inside interface have to eigrp peer with your CORE switch, did you read the link provided?
 
router eigrp
eigrp router-id
network 2.2.2.0 255.255.255.0
redistribute static

for far end  LAN create static route pointing to asa default gateway.

route outside 1.1.1.0 255.255.255.0 1

1.1.1.0/24 should be propagated down stream to your CORE router, remove the 1.1.1.0/24 static route from CORE router.

Additionaly if you will implement eigrp  provide additional layer or security by using  EIGRP Authentication  ,  information is ALL in the link previously posted .

Regards

yes, all the work for EIGRP is done, it is the route advertizement that I am asking about.

Your configuration does not appear to be valid, as if I create routes for the remote networks that are to go via the outside interface with the next hop being the other gateway IP address they will not be sent through the tunnel.. Infact the packets will be dropped as they have not routable addresses and are subject to the NAT 0 statement.

Hello,

On which interface you are terminating your VPN connections? If it is on the

outside interface (ISP handoff), then the solution provided by jorgemcse

will work. The static route is no different from the default route you have

already configured on the ASA. When the packet hits the firewall, it will

first look at the new static route and make a routing decision based on that

(previously it would have looked at your default route). When the packet

exits the firewall, it will go through the nonat rule and then the crypto

process will kick in and encrypt the packet. So, from your VPN perspective,

nothing will change.

On the EIGRP end, when you configure the static route and redistribute, all

the downstream devices will get the routes from the ASA. At the same time,

even on the ASA, you will learn about all internal networks via EIGRP. If

you have failover setup, I would suggest you using a static route (for the

entire set of inside subnets) in addition to the EIGRP (Failover will not

sync the dynamic routing protocol's routing table).

Hope this helps.

Regards,

NT