Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6588
Views
5
Helpful
3
Replies

Redistributing IPSec VPN routes via EIGRP - Cisco ASA

ALIAOF_
Level 6
Level 6

‎12-13-2012 10:18 AM - edited ‎02-21-2020 06:33 PM

I have been able to get EIGRP  working successfully in the lab like I want.

Attached is the network overview:

  • We have a Data Center and Corporate office connected via Point to Point Fiber link, eventually we will have two of these
  • Two 4948E switches in the Data center acting as cores setup with GLBP
  • Corporate Office has a 3750X acting as a core
  • Currently two 4948E's are connected to each other via Port Channel and a L2 trunk
  • Two set of ASA 5520's one acting as a firewall and for Cisco Any Connect and second for site to site VPN'

So with the new design I want to find out:

  • What would be the best way  to advertise/redistribute the Cisco AnyConnect networks on the main firewall and site to site VPN networks on the second VPN firewall.  Right now there are many static routes  setup on the core pointing to that second firewall for instance we have a  VPN site with a network of 192.168.10.0/24 and the second fireall IP is  10.1.1.5.  I have a route on the core as "ip route 192.168.10.0  255.255.255.0 10.1.1.5".  If I am not mistaken I believe this can be  accomplished by checking the "reverse route injection" option on the ASA  when creating a VPN?
  • I know reverse route injection will create a route on the firewall like this:S    172.16.0.40 255.255.255.255 [1/0] via 1.1.1.1, outside.  So how do I go about redistributing this via EIGRP that I setup on the cores?  (NOTE:  I do not want to enable EIGRP on the ASA's)

Any  suggestions, thoughts, notions, positive criticism would be very much  appreciated.  I want to make sure that this is the right track and best  practice. 

Labels:
Preview file
55 KB
0 Helpful
3 Replies 3

Chetankumar Phulpagare
Cisco Employee
Cisco Employee

‎12-13-2012 06:25 PM

Hi Mohammad,

RRI is to be used in conjuction with any routing protocol, EIGRP in your case. Advantage of enabling RRI is that route to destination is advertised over routing protocol only when the tunnel is up. But since you do not want to enable EIGRP on ASA, having only RRI won't be helpful.

If you are open to enabling EIGRP, you can find configuration example here (example shows OSPF but it explains the scenario)

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809d07de.shtml

Regards,

Chetan

0 Helpful

ALIAOF_
Level 6
Level 6
In response to Chetankumar Phulpagare

‎12-19-2012 12:19 PM

Thank you however I do not want to enable EIGRP on the ASA.

0 Helpful

jan.nielsen
Level 7
Level 7
In response to ALIAOF_

‎12-19-2012 01:09 PM

If you don't have many rfc1918 network on your primary internet firewall (dmz's and such), you could route all private scopes to your VPN firewall with very few route statements, and your EIGRP routes in your datacenter and internal networks would probably be much more specific, so they would still work.

Customers Also Viewed These Support Documents