04-05-2014 01:33 AM
Hello, community!
I'm working on what seems to be a simple task and i'm sad to admin but i need your help.
I have ASA5505 (running 9.0.3 software) which provides remote access to all kind of inside resources of the company where i currently work. As remote user gets connected ASA puts what seems to be a static route into routing table with /32 mask. My initial plan was to redistribute these routes into OSPF or EIGRP to send over to the core switch, but something is not right either with my plan or my implementation.
Let's say i decided to go with EIGRP (of course), here is what i do:
prefix-list VPN-USERS permit 192.168.100.0/24 ge 32
route-map VPN-REDIST per 10
match ip add prefix-list VPN-USERS
router eigrp 100
redistribute static route-map VPN-REDIST metric 10000 1000 255 1 1500
Well, guess what? That doesn't work. Although redistribution works for other real static routes that i have configured on ASA if i remove route-map from redistribution, these vpn routes fail to be sent over to the core switch.
Any thoughts?
04-05-2014 01:58 AM
A more efficient way (and saving amount of prefixes) is to advertise a summary route for your local IP pools.
Try with ACL instead of prefix-list too, just in case :-)
04-05-2014 02:03 AM
I sort of solved the problem by creating static route on the core switch, which is more then o'k with me, it's just i wanted to know what's wrong with redistributing these /32s. :)
04-05-2014 03:06 AM
Well for starters:
https://tools.cisco.com/bugsearch/bug/CSCtg95852/?reffering_site=dumpcr
hence I suggested using ACLs ;]
04-05-2014 06:47 AM
just tried. negative.
Checking ACL
asa-vpn# show access-list VPN-CLIENTS
access-list VPN-CLIENTS; 1 elements; name hash: 0x1d86a566
access-list VPN-CLIENTS line 1 standard permit 192.168.100.0 255.255.255.0 (hitcnt=0) 0x5ab80128
Checkig route-map
asa-vpn# show route-map VPN_CLIENTS
route-map VPN_CLIENTS, permit, sequence 10
Match clauses:
ip address (access-lists): VPN-CLIENTS
Set clauses:
Checking EIGRP config
asa-vpn# show run router ei
router eigrp 100
eigrp router-id 192.168.6.254
network 192.168.6.254 255.255.255.255
redistribute static metric 100000 1000 255 1 1500 route-map VPN_CLIENTS
Checking EIGRP neighbors
asa-vpn# show eigrp nei
EIGRP-IPv4 neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 192.168.6.1 Vl16 12 00:07:57 1 200 0 1
Checking vpn routes
asa-vpn# show route outside 192.168.100.0
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 78.72.13.1 to network 0.0.0.0
S 192.168.100.1 255.255.255.255 [1/0] via 78.72.13.1, outside
Checking EIGRP topology
asa-vpn# show eigrp topo
EIGRP-IPv4 Topology Table for AS(100)/ID(192.168.6.254)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 192.168.6.0 255.255.255.0, 1 successors, FD is 28160
via Connected, Vlan16
as soon as i do:
asa-vpn(config)# route outside 192.168.100.254 255.255.255.255 78.72.13.1
in the topology we get
asa-vpn(config)# show ei topo
EIGRP-IPv4 Topology Table for AS(100)/ID(192.168.6.254)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 192.168.6.0 255.255.255.0, 1 successors, FD is 28160
via Connected, Vlan16
P 192.168.100.254 255.255.255.255, 1 successors, FD is 281600
via Rstatic (281600/0)
sure enough this route is being propagated properly:
swCore(config-router)#do show ip route ei
192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
D EX 192.168.100.254/32 [170/281856] via 192.168.6.254, 00:01:31, Vlan16
swCore(config-router)#
Regarding 8.2 bug, well... i would hope this is fixed by now :)
04-05-2014 07:10 AM
It's a doc bug :-)
04-08-2022 05:46 AM
I used this method and it worked just fine.
I had turned on Reverse Route Injection for that specific VPN tunnel in order for the route to show up on the firewall, applied the router filter for one of the hosts in the crypto map, and i could now see the route on my core switch via eigrp.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide