04-05-2014 01:33 AM
Hello, community!
I'm working on what seems to be a simple task and i'm sad to admin but i need your help.
I have ASA5505 (running 9.0.3 software) which provides remote access to all kind of inside resources of the company where i currently work. As remote user gets connected ASA puts what seems to be a static route into routing table with /32 mask. My initial plan was to redistribute these routes into OSPF or EIGRP to send over to the core switch, but something is not right either with my plan or my implementation.
Let's say i decided to go with EIGRP (of course), here is what i do:
prefix-list VPN-USERS permit 192.168.100.0/24 ge 32
route-map VPN-REDIST per 10
match ip add prefix-list VPN-USERS
router eigrp 100
redistribute static route-map VPN-REDIST metric 10000 1000 255 1 1500
Well, guess what? That doesn't work. Although redistribution works for other real static routes that i have configured on ASA if i remove route-map from redistribution, these vpn routes fail to be sent over to the core switch.
Any thoughts?
04-05-2014 01:58 AM
A more efficient way (and saving amount of prefixes) is to advertise a summary route for your local IP pools.
Try with ACL instead of prefix-list too, just in case :-)
04-05-2014 02:03 AM
I sort of solved the problem by creating static route on the core switch, which is more then o'k with me, it's just i wanted to know what's wrong with redistributing these /32s. :)
04-05-2014 03:06 AM
Well for starters:
https://tools.cisco.com/bugsearch/bug/CSCtg95852/?reffering_site=dumpcr
hence I suggested using ACLs ;]
04-05-2014 06:47 AM
just tried. negative.
Checking ACL
asa-vpn# show access-list VPN-CLIENTS
access-list VPN-CLIENTS; 1 elements; name hash: 0x1d86a566
access-list VPN-CLIENTS line 1 standard permit 192.168.100.0 255.255.255.0 (hitcnt=0) 0x5ab80128
Checkig route-map
asa-vpn# show route-map VPN_CLIENTS
route-map VPN_CLIENTS, permit, sequence 10
Match clauses:
ip address (access-lists): VPN-CLIENTS
Set clauses:
Checking EIGRP config
asa-vpn# show run router ei
router eigrp 100
eigrp router-id 192.168.6.254
network 192.168.6.254 255.255.255.255
redistribute static metric 100000 1000 255 1 1500 route-map VPN_CLIENTS
Checking EIGRP neighbors
asa-vpn# show eigrp nei
EIGRP-IPv4 neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 192.168.6.1 Vl16 12 00:07:57 1 200 0 1
Checking vpn routes
asa-vpn# show route outside 192.168.100.0
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 78.72.13.1 to network 0.0.0.0
S 192.168.100.1 255.255.255.255 [1/0] via 78.72.13.1, outside
Checking EIGRP topology
asa-vpn# show eigrp topo
EIGRP-IPv4 Topology Table for AS(100)/ID(192.168.6.254)
Codes: P - Passive, A - Active, U - Update, Q