Thank you Rob.

QUESTIONS:

1. I am confused as to why in your example you are using int "Null0". Is the int name "Null0" arbitrary?

2. May you confirm my understanding that-- the reason I would be using not "Null0", but my ASA-named interface "Outside" is because this 192.168.15 network actually lives on this outside interface (per the Anyconnect configuration)?

3. So then, if I remove from the adjacent layer-3 switch the (EIGRP redistributed) static route to the Anyconnect subnet, then I enter the same config as below (while replacing the details), my Anyconnect routing config will be optimal?

route Outside 192.168.15.0 255.255.255.0 1
!
prefix-list RAVPN-SUMMARY seq 5 permit 192.168.15.0/24
!
route-map VPN-ROUTES permit 10
match ip address prefix-list RAVPN-SUMMARY

router eigrp 1
 redistribute static route-map RAVPN-SUMMARY

Thank you.

@MicJameson1 using null0 if the destination host 192.168.15.x is not connected then the connection will not be routed out the outside interface. If you used outside instead, if no connected host on 192.168.15.x then the packet would be routed out the outside interface, less desirable.

If you remove the adjacent switch configuration and add the example above the EIGRP route will be redistributed from the ASA and learnt by the connected/adjacent switch.

(I've changed the order of these questions to be from simple to complex.)

1. This 192.168.15 network actually lives on the Outside interface, (per the Anyconnect configuration), where addityionally lives the public IP address, correct?

2. If you remove the adjacent switch configuration and add the example above the EIGRP route will be redistributed from the ASA and learnt by the connected/adjacent switch."-- Is there any practical significance (besides syntax) in implementing this config on the ASA as opposed to the adjacent layer-3 switch?

3. "using null0 if the destination host 192.168.15.x is not connected then the connection will not be routed out the outside interface. If you used outside instead, if no connected host on 192.168.15.x then the packet would be routed out the outside interface, less desirable."

-- OK, but I'm missing something obvious-- With only below configuration, it seems to me ALL traffic would be forced to the Null0 interface, so no egress communication would exist (it would be dropped)-- it would all get directed to the Null0 interface, which is attached to logically nothing (Null). It seems to me that somewhere in the config there needs to be a route pointing to the ASA interface "Outside". May you please explain?

route Null0 192.168.15.0 255.255.255.0 1
!
prefix-list RAVPN-SUMMARY seq 5 permit 192.168.15.0/24
!
route-map VPN-ROUTES permit 10
match ip address prefix-list RAVPN-SUMMARY

router eigrp 1
 redistribute static route-map RAVPN-SUMMARY

@MicJameson1 

1. technically yes the anyconnect IP pool ingress from the outside interface.

2. either work. In my opinon it'a tidier advertising the anyconnect pool from the ASA.

3. no not necessarily, a static route via either null0 or outside will work to advertise the route. If an anyconnect user is connected there will be a more specific /32 and traffic will be routed to the anyconnect user, rather than dropped by the null route. If traffic is routed to an anyconnect pool IP address (for whatever reason) that is not in use (no connected user, therefore no /32), with a null0 route traffic is dropped. In the same scenario, if you have a static via outside traffic is actually routed to the outside interface and will go nowhere (dropped upstream)

"If an anyconnect user is connected there will be a more specific /32 and traffic will be routed to the Anyconnect user, rather than dropped by the null route."

-- With your previously listed config, when Anyconnect users log in and out, will EIGRP /32 (AD 90) routes be seen in LAN remote downstream routers as was described in my original post?

@MicJameson1 no, because you are redistributing static routes via the route-map which matches the prefix-list, only the /24 summary route is matched in the prefix-list, so only the /24 is redistributed not all the /32s.

OK so your config logic works like this?--

A single Anyconnect /24 null summary route is redistributed via EIGRP (AD 170) throughout the enterprise LAN. When LAN traffic matches this /24 mask, it is directed to the ASA. Once this traffic enters the ASA, the ASA actually has a specific /32 route in its routing table for this currently active remote user connection, so the traffic is routed to that exact user, correct?

@MicJameson1 yes exactly, a /24 route will always exist in the LAN routing table and if an active user a /32 exists on the ASA then traffic is routed to the user.

Hello. Regarding an Anyconnect subnet, the suggested config seems to already exist, and is not working.

Configured on the adjacent switch there exists a redistributed static route for the Anyconnect subnet 172.16.199.0/24 (with AD 170).

Below is data from the ASA5525...

ASA5524# sh run
!!(obfuscated, output omitted)!!
router eigrp 1
distribute-list eigrpABC in interface Inside

!! Anyconnect subnet 172.16.199.x is not seen below. !!
network 172.16.24.0 255.255.255.0
network 172.16.233.0 255.255.255.0
network 66.243.123.0 255.255.255.0
redistribute static metric 500000 1 255 1 1500

ASA5524# sh route
!!(obfuscated, output omitted)!!
D EX 172.16.199.0/24 [170/3499264] via 172.16.37.6, 09:07:13, Vlan7 !! This redistributed route is configured in the adjacent routing device. !!
D 172.16.199.2/32 [90/1818368] via 172.16.37.6, 08:55:05, Vlan7 !! Clearly these are EIGRP distributed routes. !!
D 172.16.199.3/32 [90/1818368] via 172.16.37.6, 09:07:13, Vlan7
D 172.16.199.4/32 [90/1818368] via 172.16.37.6, 09:07:13, Vlan7

QUESTIONS:

1. What (Anyconnect ?) configuration is injecting EIGRP /32 routes?
2. How do I stop these EIGRP /32 routes from propagating through the network, so that just the summary route exists in enterprise routing tables?

Thank you.

@MicJameson1

redistribute static metric 500000 1 255 1 1500 << this is redistributing the VPN routes.

Configure with a summary route, route-map and reconfigure EIRP as per the example previously provided.

OK, then this implies that the VPN routes occur as static routes.

What config command creates these Anyconnect routes?

Can you provide a technical link as to why/how this happens within the Anyconnect technology?

Thank you.

@MicJameson1 It's not anyconnect that creates these routes, the /32 VPN static routes are automatically created by default on the ASA when there is an active anyconnect user connected to the VPN. When the anyconnect user logoffs off the route is removed automatically.