Problem advertising networks within EIGRP.

darrenriley5 · ‎07-28-2009

I made a change to my ASA firewall last night so it only advertised the addresses of a certain hosts within EIGRP. These hosts sit on the outside interface of my firewall. Basically it didn't work and no routes were advertised for these addresses.

router eigrp 100

network 172.16.115.57 255.255.255.255

network 172.16.115.58 255.255.255.255

network 172.16.115.59 255.255.255.255

interface Ethernet0/0

nameif Outside

security-level 100

ip address 172.16.115.214 255.255.255.0

ospf cost 10

Previously I was advertising the whole 172.16.115.0 subnet by using the redistribute connected command. I removed this when trying to advertise the single host address.

The reason for this is so traffic destined for these hosts follows a different path to the rest of the 172.16.115.0 subnet. The next stage was to add a static route on another router to the 172.16.115.0 subnet and redistribute the static route in to EIGRP. Any idea why this hasn't worked?

Is it because within my network we only advertise the 10.0.0.0 network so this wouldn't work. How could I get around this?

The firewall isn't used to connect to the internet. It connects my LAN to another LAN.

Many Thanks

Peter Paluch · ‎07-28-2009

Darren,

The "network" command in routing protocol configuration includes only directly connected networks into that protocol. It can not be used to advertise an arbitrary host IP address, even within a directly connected network.

You obviously need to advertise a bunch of host IP routes (with the /32 prefix). The only way I can think of right now is defining those host IP routes statically in your routing table pointing out the correct interface and then redistributing them into the EIGRP. In IOS, if you define a static route with an outgoing interface without a next hop address, that route is considered to be a directly connected network as well and can be included into the EIGRP using the "network" command as any other directly connected network (i.e. not necessary to redistribute it). I am not sure if this can be done in ASA OS but at least the trick with redistribution should work.

Best regards,

Peter

darrenriley5 · ‎07-28-2009

Peter,

Don't think I can specify an interface on an ASA, doesn't give me the option.

Could you confirm my understanding is correct even though it doesn't seem possible.

route Outside 172.16.115.57 255.255.255.255 interface e1/0

router eigrp 100

redistribute sttatic

My firewall connects directly to a router on my LAN. Could I add static routes on the router to these hosts which point to the internal address of my firewall and redistribute those into eigrp?

Thanks

Darren

Peter Paluch · ‎07-28-2009

Hi Darren,

Unfortunately I do not have an ASA to do greater experiments but I do believe that it will allow you to define static routes as follows:

route Outside 172.16.115.57 255.255.255.255 172.16.115.57

You simply use the host's own IP address as the next hop. Then you can redistribute it into EIGRP - or perhaps try first using the "network" command exactly as you originally suggested, and use redistribution only if the "network" command doesn't work.

Best regards,

Peter

darrenriley5 · ‎07-28-2009

Thanks very much. I'll give that a go.