Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

EIGRP - ASA - DMZ Interface

Hello - I am trying to configure EIGRP on my ASA DMZ Interface - topology as follows:

Inside                        DMZ

3560x ------ ASA ------- 3560x

e0/1                          e0/3.501

The ASA is currently configured for EIGRP with the inside 3560x switch and passing routing updates properly.

However, the ASA will not send/receive routing updates to/from the DMZ 3560x switch - the two devices do establish eigrp neighbor relationship.

Any suggestions would be appreciated.

Thanks.

Josh

ASA Configuration:

!

router eigrp 600

no auto-summary

eigrp router-id 10.100.0.1

network 10.50.10.0 255.255.255.0

network NET-TOWER-TRANSIT-FW-10.100.0.0-24 255.255.255.0

passive-interface default

no passive-interface FW_TRANSIT

no passive-interface DMZ_TEST

redistribute static route-map EIGRP_REDISTRIBUTION_RMAP

!

interface Ethernet0/1

description Internal Tower Networks

nameif FW_TRANSIT

security-level 100

ip address 10.100.0.1 255.255.255.0

!

interface Ethernet0/3

description DMZ physical interface

nameif DMZ_PHYSICAL

security-level 50

no ip address

!

interface Ethernet0/3.510

vlan 510

nameif DMZ_TEST

security-level 50

ip address 10.50.10.254 255.255.255.0

!

DMZ Switch Configuration:

!

router eigrp 600

network 10.50.10.0 0.0.0.255

network 10.50.11.0 0.0.0.255

passive-interface default

no passive-interface Vlan75

no passive-interface Vlan510

eigrp router-id 10.50.255.254

!

interface Vlan510

ip address 10.50.10.1 255.255.255.0

!

  • LAN Switching and Routing
Everyone's tags (6)
4 REPLIES
Cisco Employee

EIGRP - ASA - DMZ Interface

Can you try adding "no auto-summary" in DMZ switch, to see if that resolves.

I'm not sure with ASA/firewalls. Hence not sure if I'm missing something on ASA side.

New Member

EIGRP - ASA - DMZ Interface

Hi Sudeep - thanks for the suggestion - no auto-summary is default on the version of IOS that I am running.

New Member

Re: EIGRP - ASA - DMZ Interface

Some additional information - the neighbor relationship is flapping - it looks like the initial relationship is established but then each device is unable to pass on any update packets - below shows the Queue Count is non-zero.

on the ASA:

TOWER-FW01# sh eigrp ne

EIGRP-IPv4 neighbors for process 600

H     Address          Interface     Hold      Uptime     SRTT     RTO     Q     Seq

                                              (sec)                     (ms)                 Cnt   Num

1     10.50.10.1       Et0/3.510   11         00:01:14      1        5000    2      11184

0     10.100.0.253    Et0/1         11         9w0d           4       200      0       8357

on the 3560x:

TOWER-DMZ-01#sh ip eigrp ne

EIGRP-IPv4 Neighbors for AS(600)

H     Address          Interface     Hold     Uptime     SRTT     RTO     Q     Seq

                                              (sec)                    (ms)                 Cnt   Num

0     10.50.10.254    Vl510          14      00:00:18       1       5000     1      0

The ASA is also logging the following error:

Routing failed to locate next hop fro EIGRP from identity:10.50.10.254/0 to FW_TRANSIT:10.50.10.1/0

Another clue - when trying to ping from ASA to 3560x i receive the following:

TOWER-FW01# ping 10.50.10.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.50.10.1, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

I am able to ping from the 3560x to the ASA - I don't know why I cannot ping in the other direction

New Member

Re: EIGRP - ASA - DMZ Interface

Issue is resolved in another post -

https://supportforums.cisco.com/message/3703561#3703561

991
Views
0
Helpful
4
Replies