08-18-2010 07:33 AM
We have a VPN endpoint (ASA) running v 8.2(2) which has multiple VPN connections to external vendor networks. On our network core we have static routes pointing traffic to these remote subnets via the VPN appliance. Is there anyway to place the remote network addresses into EIGRP on the ASA so that the static routes on the core are no longer required?
08-18-2010 08:45 AM
Yes it is possible to announce the VPN hosts or remote VPN networks , you will need ASA to EIGRP peer with your downstream Core router, then you can anounce those vpn networks in asa eigrp process.
Regards
08-18-2010 08:52 AM
okay, so the ASA does not need to have an interface in the network that it is advertizing in EIGRP? I can just specify the networks within the EIGRP instance? Also how do I stop remote peers from sending me EIGRP information?
08-18-2010 11:06 AM
Hi,
Yes, as far as I know you have to have an asa interface adjacent to a device that is doing eigrp , now I am a little confused, If you have basic net diagram that will help, if I understand your original post you have several tunnels terminating on your ASA firewall (outside) interface, my understanding of your reques is that those far end VPN subnets comming into your firewall you have to statically enter them in your CORE switch so that your internal network knows which gateway to use ( the ASA) to get to the far end subnets through the ipsec tunnel is this correct? if so in that case if you want to prevent static routing on your CORE you have make the ASA firewal participate in routing from your inside so that you can either use static route in your firewall and redistribute by eigrp and dynamicall propagate those VPN subnest you have comming into your firewall .. please correct me if I have missunderstood your quirements.
Regards
08-19-2010 06:46 AM
The remote network is 1.1.1.1/24 the local network is 2.2.2.2/24 The local VPN device is 2.2.2.3/24 (inside interface). Currently the core switch (2.2.2.4) has a static route that says 1.1.1.1 is reachable via 2.2.2.2.
I want to be able to have the ASA to announce it is the gateway for 1.1.1.1 using EIGRP so that the static route can be removed from the core switch
08-19-2010 09:22 PM
As previously indicated your ASA inside interface have to eigrp peer with your CORE switch, did you read the link provided?
router eigrp
eigrp router-id
network 2.2.2.0 255.255.255.0
redistribute static
for far end LAN create static route pointing to asa default gateway.
route outside 1.1.1.0 255.255.255.0
1.1.1.0/24 should be propagated down stream to your CORE router, remove the 1.1.1.0/24 static route from CORE router.
Additionaly if you will implement eigrp provide additional layer or security by using EIGRP Authentication , information is ALL in the link previously posted .
Regards
08-20-2010 04:14 AM
yes, all the work for EIGRP is done, it is the route advertizement that I am asking about.
Your configuration does not appear to be valid, as if I create routes for the remote networks that are to go via the outside interface with the next hop being the other gateway IP address they will not be sent through the tunnel.. Infact the packets will be dropped as they have not routable addresses and are subject to the NAT 0 statement.
08-20-2010 05:56 AM
Hello,
On which interface you are terminating your VPN connections? If it is on the
outside interface (ISP handoff), then the solution provided by jorgemcse
will work. The static route is no different from the default route you have
already configured on the ASA. When the packet hits the firewall, it will
first look at the new static route and make a routing decision based on that
(previously it would have looked at your default route). When the packet
exits the firewall, it will go through the nonat rule and then the crypto
process will kick in and encrypt the packet. So, from your VPN perspective,
nothing will change.
On the EIGRP end, when you configure the static route and redistribute, all
the downstream devices will get the routes from the ASA. At the same time,
even on the ASA, you will learn about all internal networks via EIGRP. If
you have failover setup, I would suggest you using a static route (for the
entire set of inside subnets) in addition to the EIGRP (Failover will not
sync the dynamic routing protocol's routing table).
Hope this helps.
Regards,
NT
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide