Showing results for 
Search instead for 
Did you mean: 

Advertizing VPN routes via EIGRP


We have a VPN endpoint (ASA) running v 8.2(2) which has multiple VPN connections to external vendor networks.  On our network core we have static routes pointing traffic to these remote subnets via the VPN appliance.  Is there anyway to place the remote network addresses into EIGRP on the ASA so that the static routes on the core are no longer required?

7 Replies 7


Yes it is  possible to announce the VPN hosts or remote VPN networks , you will need ASA to EIGRP peer with  your downstream Core router,  then you can anounce those vpn networks in asa eigrp process.


Jorge Rodriguez

okay, so the ASA does not need to have an interface in the network that it is advertizing in EIGRP?   I can just specify the networks within the EIGRP instance?  Also how do I stop remote peers from sending me EIGRP information?


Yes, as far as I know you have to have an  asa  interface adjacent to a device that is doing eigrp ,  now I am a little confused,  If you have basic  net diagram that will help,  if I understand your original  post you have several tunnels terminating on your ASA firewall (outside) interface, my understanding of your reques is that those far end VPN subnets comming into your firewall  you have to statically enter them  in your CORE  switch so that your internal network knows which gateway to use ( the ASA)  to get to the far end subnets through the ipsec tunnel is this correct?  if so in that case if you want to prevent static routing  on your CORE   you have make  the ASA firewal participate in routing from your inside so that you can either use static route in your firewall and redistribute by eigrp and  dynamicall propagate those VPN subnest you have comming into your firewall ..  please correct me if I have missunderstood your quirements.



Jorge Rodriguez

The remote network is the local network is  The local VPN device is (inside interface).  Currently the core switch ( has a static route that says is reachable via

I want to be able to have the ASA to announce it is the gateway for using EIGRP so that the static route can be removed from the core switch

As previously indicated your ASA inside interface have to eigrp peer with your CORE switch, did you read the link provided?
router eigrp
eigrp router-id
redistribute static

for far end  LAN create static route pointing to asa default gateway.

route outside 1 should be propagated down stream to your CORE router, remove the static route from CORE router.

Additionaly if you will implement eigrp  provide additional layer or security by using  EIGRP Authentication  ,  information is ALL in the link previously posted .


Jorge Rodriguez

yes, all the work for EIGRP is done, it is the route advertizement that I am asking about.

Your configuration does not appear to be valid, as if I create routes for the remote networks that are to go via the outside interface with the next hop being the other gateway IP address they will not be sent through the tunnel.. Infact the packets will be dropped as they have not routable addresses and are subject to the NAT 0 statement.


On which interface you are terminating your VPN connections? If it is on the

outside interface (ISP handoff), then the solution provided by jorgemcse

will work. The static route is no different from the default route you have

already configured on the ASA. When the packet hits the firewall, it will

first look at the new static route and make a routing decision based on that

(previously it would have looked at your default route). When the packet

exits the firewall, it will go through the nonat rule and then the crypto

process will kick in and encrypt the packet. So, from your VPN perspective,

nothing will change.

On the EIGRP end, when you configure the static route and redistribute, all

the downstream devices will get the routes from the ASA. At the same time,

even on the ASA, you will learn about all internal networks via EIGRP. If

you have failover setup, I would suggest you using a static route (for the

entire set of inside subnets) in addition to the EIGRP (Failover will not

sync the dynamic routing protocol's routing table).

Hope this helps.



Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers