ASA firewall and EIGRP

Unanswered Question
Jun 1st, 2010

Hey guys.

I have an ASA connected directly into a 6509

the asa has the inside interface of 192.168.0.193/26 and a dmz interface of 172.16.20.1/24

I've brought a eigrp relationship between the two and the ASA can now see all the routes coming from the 6509 but the 6509 can't see the 172.16.20.0/24 network in the eigrp topology

Asa eigrp config is as follows

router eigrp 100
no auto-summary
network  192.168.0.192 255.255.255.192
network 172.16.20.0 255.255.255.0

sw-6509e-1#sh ip eigrp topology 172.16.20.0
% IP-EIGRP (AS 100): Route not in topology table

Anyone have any ideas?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Jon Marshall Tue, 06/01/2010 - 10:27

b.rockburn wrote:

Hey guys.

I have an ASA connected directly into a 6509

the asa has the inside interface of 192.168.0.193/26 and a dmz interface of 172.16.20.1/24

I've brought a eigrp relationship between the two and the ASA can now see all the routes coming from the 6509 but the 6509 can't see the 172.16.20.0/24 network in the eigrp topology

Asa eigrp config is as follows

router eigrp 100
no auto-summary
network  192.168.0.192 255.255.255.192
network 172.16.20.0 255.255.255.0

sw-6509e-1#sh ip eigrp topology 172.16.20.0
% IP-EIGRP (AS 100): Route not in topology table

Anyone have any ideas?

Brent

Your network masks are wrong ie. they should be inverse masks eg.

router eigrp 100

network 192.168.0.192 0.0.0.63

network 172.16.20.0 0.0.0.255

Jon

Brent Rockburn Tue, 06/01/2010 - 10:29

Hey Jon,

when I tried to do that on my ASA it says this

fw-miss-dr-can-asa5520-01(config-router)# network 192.168.0.193 0.0.0.63
% EIGRP: Invalid mask (discontiguous)

Jon Marshall Tue, 06/01/2010 - 10:34

b.rockburn wrote:

Hey Jon,

when I tried to do that on my ASA it says this

fw-miss-dr-can-asa5520-01(config-router)# network 192.168.0.193 0.0.0.63
% EIGRP: Invalid mask (discontiguous)

Brent

Try "network 192.168.0.192 0.0.0.63"

Jon

Brent Rockburn Tue, 06/01/2010 - 10:36

fw-miss-dr-can-asa5520-01(config-router)# network 192.168.0.192 0.0.0.63
% EIGRP: Invalid mask (discontiguous)

when I do network 192.168.0.193 255.255.255.192 it takes it and yes changes it to 192.168.0.192 255.255.255.192

Jon Marshall Tue, 06/01/2010 - 10:37

Brent

Just checked the ASA config guide and it looks like the ASA does use normal subnet masks and not inverse masks so please ignore me

Jon

Chetan Kumar Ress Tue, 06/01/2010 - 10:44

Hi Brent

As per my understanding, you have connected ASA directly to 6509.

And Currently you have Inside, DMZ  & Outside Network.

Can you please share the topology, so that can help us to know the network & issue?

You have connected ASA directly to 6509 & you are trying to run both DMZ & Inside Network on single cable. (Physical Cabling & Single Interface in ASA)

So you should configure ASA with VLAN (Sub -interface). One Will be DMZ layer 3 interface & One will be Inside Layer 3 Interface.(Below is Example )

ASA Configuration

interface GigabitEthernet0/0

description ***** Connected to 6509-I *****

no nameif

no security-level

no ip address

Outside Network

!

interface GigabitEthernet0/0.2

description ***** Connected to 6509-I - Server VLAN *****

vlan 2

nameif DMZ-Zone

security-level 50

ip address x.x.x.x x.x.x.x standby x.x.x.x

!

Inside Network

interface GigabitEthernet0/0.2

description ***** Connected to 6509-I Inside VLAN ****

vlan 140

nameif INSIDE-Zone

security-level 100

ip address x.x.x.x x.x.x.x standby x.x.x.x

6509 Switch Configuration

interface GigabitEthernet1/1

description ***** Connected To ASA-I *****

switchport trunk encapsulation dot1q

switchport mode trunk

In ASA you will use two physical interface one for Outside & One for Inside & DMZ ( Using Sub-Interface)

And the important thing is that the cable from ASA to 6509 should be trunk to pass multiple VLAN. (in 6509 you should configure trunk)

If your senario is else , Please let us know.

Regards

chetan Kumar

Brent Rockburn Tue, 06/01/2010 - 10:56

yes that portion of the configuration I have down there is no problem there.

The problem appears to be with EIGRP and the ASA, I'm not sure how the two should interact.

Chetan Kumar Ress Tue, 06/01/2010 - 11:19

Hi Brent

Please refer the attach diagram .

The below config is for DMZ network. The Gateway for Server is ASA any request from server will come directly to ASA (to below interface ). Because we had configured trunk in 6509 and in 6509 we had configured Server VLAN (L2 VLAN) and all server ports as associated to Server VLAN .Trunk will pass this Server VLAN traffic to ASA and then ASA will reply to those Server.

interface GigabitEthernet0/0.2

description ***** Connected to 6509-I - Server VLAN *****

vlan 2

nameif DMZ-Zone

security-level 50

ip address X.X.X.X X.X.X.X standby X.X.X.X

And here you can see, this is management interface to communicate between ASA & 6509 were routing will be done to pass 6509 route to ASA. We had configured ASA with sub- Interface i.e VLAN 10 and assign ip address 1.1.1.1 & In switch we create layer 3 interface name as VLAN10 & assign IP add 1.1.1.2 . Switch ports is configured as trunk & trunk will pass request to ASA (VLAN 10 Traffic). So you can see that trunk will pass both VLAN information to ASA , So in same way it will communicated vice versa.

interface GigabitEthernet0/0.10

description ***** Connected to 6509-I Inside zone ****

vlan 10

nameif INSIDE-Zone

security-level 100

ip address 1.1.1.1 255.255.255.0

Switch configuration 

interface vlan 10

ip add 1.1.1.2 255.255.255.0

interface GigabitEthernet1/1

description ***** Connected To ASA *****

switchport trunk encapsulation dot1q

switchport mode trunk

Regards

Chetan Kumar

Attachment: 
ChandraBhanu Pa... Tue, 06/18/2013 - 12:07

I had same problem in ASA8.6, but resolved.

Kindly find the EIGRP specific configuration

Interface configuration

!

interface GigabitEthernet0/0

description Links to WAN Router

nameif OUTSIDE

security-level 50

ip address 10.1.1.4 255.255.255.192 standby 10.1.1.5

summary-address eigrp 100 10.1.0.0 255.255.0.0 1

!

Eigrp Protocol Confiuration

access-list eigrpACL_FR standard permit any

!

router eigrp 100

distribute-list eigrpACL_FR in interface OUTSIDE

neighbor 10.1.1.3 interface OUTSIDE

neighbor 10.1.1.2 interface OUTSIDE

network 10.1.1.0 255.255.255.192

redistribute connected

redistribute static

!

Regards,

Bhanu.

Note :If it resolves your problem flag it as Resolved.

ChandraBhanu Pa... Tue, 06/18/2013 - 12:11

I had same problem in ASA8.6, but resolved.

Kindly find the EIGRP specific configuration

Interface configuration

!

interface GigabitEthernet0/0

description Links to WAN Router

nameif OUTSIDE

security-level 50

ip address 10.1.1.4 255.255.255.192 standby 10.1.1.5

summary-address eigrp 100 10.1.0.0 255.255.0.0 1

!

Eigrp Protocol Confiuration

access-list eigrpACL_FR standard permit any

!

router eigrp 100

distribute-list eigrpACL_FR in interface OUTSIDE

neighbor 10.1.1.2 interface OUTSIDE

network 10.1.1.0 255.255.255.192

redistribute connected

redistribute static

!

Regards,

Bhanu.

Note : If it resolves youe issue , flag it as Resolved.

Actions

This Discussion