Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5520 EIGRP Route Filtering

I have an ASA 5520 connected to a Cisco 6509E, and we're turning up EIGRP between the two. The problem that I'm running into is that there a few static routes (including a 0.0.0.0) on the core that's being redistributed into the EIGRP AS, and I need to block this from being propagated to the ASA. The ASA only has the capability to use an ACL in conjunction with a distribute-list, and I can't find a way to filter the default route (0.0.0.0 /0), while allowing everything else.

Any suggestions?

Thanks!

Darren

Everyone's tags (3)
3 REPLIES

ASA 5520 EIGRP Route Filtering

I don't have an ASA that I can test, but you can try this:

access-list DenyDefault deny ip 0.0.0.0 0.0.0.0 (being an ASA, you may have to change this to 0.0.0.0 255.255.255.255)

access-list DenyDefault permit ip any any

router eigrp 100

distribute-list DenyDefault in

I would definitely make this change after hours since I'm not sure how this will affect it. The ACL syntax probably isn't right, but I don't have an ASA running eigrp.

HTH, John *** Please rate all useful posts ***
New Member

ASA 5520 EIGRP Route Filtering

Thanks for the reply j.blakley. I ended up denying the 0.0.0.0 host, and took it a step further with some RRI. Here's part of my codebase:

ASA5520STL01# sh run access-list

access-list Redistribute_Connected_Tunnels standard permit 192.168.12.48 255.255.255.240

access-list Redistribute_Connected_Tunnels standard permit 192.168.12.32 255.255.255.240

access-list Redistribute_Connected_Tunnels standard permit 192.168.3.80 255.255.255.240

access-list Redistribute_Connected_Tunnels standard permit 192.168.3.144 255.255.255.240

access-list Redistribute_Connected_Tunnels standard permit 192.168.12.64 255.255.255.240

access-list EIGRP_In_From_Core standard deny 192.168.3.80 255.255.255.240

access-list EIGRP_In_From_Core standard deny 192.168.3.144 255.255.255.240

access-list EIGRP_In_From_Core standard deny 192.168.12.0 255.255.255.0

access-list EIGRP_In_From_Core standard deny 192.168.3.0 255.255.255.0

access-list EIGRP_In_From_Core standard deny 192.168.0.0 255.255.0.0

access-list EIGRP_In_From_Core standard deny host 0.0.0.0

access-list EIGRP_In_From_Core standard permit any

ASA5520STL01# sh run crypto map

crypto map Outside_map 2 match address Outside_2_cryptomap

crypto map Outside_map 2 set peer X.X.X.X

crypto map Outside_map 2 set transform-set ESP-AES-128-MD5

crypto map Outside_map 2 set reverse-route

crypto map Outside_map 3 match address Outside_cryptomap

crypto map Outside_map 3 set peer X.X.X.X

crypto map Outside_map 3 set transform-set ESP-AES-128-MD5

crypto map Outside_map 3 set reverse-route

crypto map Outside_map 4 match address Outside_4_cryptomap

crypto map Outside_map 4 set peer X.X.X.X

crypto map Outside_map 4 set transform-set ESP-AES-128-SHA

crypto map Outside_map 4 set reverse-route

crypto map Outside_map 5 match address Outside_5_cryptomap

crypto map Outside_map 5 set peer X.X.X.X

crypto map Outside_map 5 set transform-set ESP-AES-128-SHA

crypto map Outside_map 5 set reverse-route

crypto map Outside_map interface Outside

ASA5520STL01# sh run router

router eigrp 100

no auto-summary

distribute-list EIGRP_In_From_Core in interface inside

network X.X.X.X X.X.X.X

passive-interface default

no passive-interface inside

redistribute static route-map Redistribute_Connected_Tunnels

ASA5520STL01# sh run route-map

route-map Redistribute_Connected_Tunnels permit 1

match ip address Redistribute_Connected_Tunnels

Working great now!

Darren

ASA 5520 EIGRP Route Filtering

Good to hear!

Please rate helpful posts....

HTH, John *** Please rate all useful posts ***
3147
Views
0
Helpful
3
Replies