HOW TO: EIGRP configuration (basic) on Cisco ASA firewall

LinkedIn
Facebook
Facebook
Google+
http://netfixpro.com/eigrp-config-asa/
RSS
Follow by Email

In  this article, I will demonstrate some basic configuration of EIGRP on cisco ASA firewall. I will configure EIGRP neighbor relationship between an ASA and a router. I will also identify some of the mandatory and optional configuration parameters followed by debugging of neighbor relationship and verification of EIGRP.

To best describe this scenario, I have one Cisco ASA firewall and two routers connected as shown in the above-mentioned diagram. ASA1 is connected to R1 using Gig 0 interface (outside interface) and connected to R2 using Gig 1 interface (inside interface). In this lab, I will configure EIGRP neighbor relationship between ASA1 and R2.

Click here →

to view the initial configuration

ASA1

interface GigabitEthernet0
 no shutdown
 nameif outside
 ip address 10.10.10.2 255.255.255.0
!
interface GigabitEthernet1
 no shutdown
 nameif inside
 ip address 10.20.20.1 255.255.255.0
!
route outside 10.50.50.0 255.255.255.0 10.10.10.1
route outside 10.50.51.0 255.255.255.0 10.10.10.1

R1

interface Loopback0
 ip address 10.50.50.1 255.255.255.0
!
interface Loopback1
 ip address 10.50.51.1 255.255.255.0
!
interface Ethernet0/0
 ip address 10.10.10.1 255.255.255.0
 no shutdown

R2

interface Loopback0
 ip address 172.16.0.1 255.255.255.0
!
interface Loopback1
 ip address 172.16.1.1 255.255.255.0
!
interface Loopback2
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1
 ip address 10.20.20.2 255.255.255.0
 no shutdown

Configure EIGRP

Cisco ASA firewall supports EIGRP dynamic routing protocol for IPv4 and only single routing process is allowed. For simplicity, I am going to configure EIGRP for all networks (using 0.0.0.0) on R2.

R2 configuration

R2(config)#router eigrp 100
R2(config-router)# network 0.0.0.0

ASA1 configuration

ASA1(config)# router eigrp 100
ASA1(config-router)# passive-interface default
ASA1(config-router)# no passive-interface inside 
ASA1(config-router)# no auto-summary 
ASA1(config-router)# network 10.20.20.0 255.255.255.0 
ASA1(config-router)# network 10.10.10.2 255.255.255.255
  • Enable EIGRP process (mandatory) — configure router eigrp <ASN> command in global configuration to globally activates EIGRP within the given autonomous system number.
    • NOTE: Only single routing process is allowed; If you try to create another EIGRP process, you will receive the following error. “Too many IP routing processes for this routing protocol
      ERROR: Unable to create router process”
  • Disable auto-summary (mandatory) — configure the process-level command no auto-summary to disable the classful network boundary auto-summarization function of EIGRP, which by default is enabled.
  • Enable interfaces for EIGRP (mandatory) — configure the process-level command network <subnet> <mask> to activate sending and receiving of EIGRP hello multicast packets on interfaces matching the command to establish adjacencies.
    • NOTE: by configuring network command for 10.20.20.0/24 n/w, I am enabling EIGRP for any interface IP address part of that /24 subnet, while configuring network command for 10.10.10.2/32 n/w, I am enabling EIGRP ONLY for that particular IP address.
  • Define passive interfaces (optional) — configure the process-level command passive-interface <nameif>, to disable sending and receiving of EIGRP hello packets, so no neighbors can be formed.
    • In our example, I am only allowing the neighbor relationship to be formed over inside interface. Even though I have network command configured for an outside interface, because of passive-interface default command, no neighbor can be formed over outside interface as of now.

Verify EIGRP

Debug of EIGRP packets

Click here →

to view the debugging of EIGRP packets

debug eigrp

ASA1# debug eigrp packets 
EIGRP Packets debugging is on
 (UPDATE, REQUEST, QUERY, REPLY, HELLO, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
ASA1# 
EIGRP: Sending HELLO on GigabitEthernet1
 AS 6553601, Flags 0x0, Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
EIGRP: Received HELLO on GigabitEthernet1 nbr 10.20.20.2
 AS 6553601, Flags 0x0, Seq 0/0 interfaceQ 0/0
EIGRP: Adding Version2 Peer (1 Peers, 1 V2 Peers)
EIGRP: Enqueueing UPDATE on GigabitEthernet1 nbr 10.20.20.2 topoid 0 iidbQ un/rely 0/1 peerQ un/rely 0/0
EIGRP: Sending TOPOLIST on GigabitEthernet1 - 1 items
EIGRP: Sending HELLO on GigabitEthernet1
 AS 6553601, Flags 0x0, Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/1
EIGRP: Requeued unicast on GigabitEthernet1
EIGRP: Forcing multicast xmit on GigabitEthernet1
EIGRP: Sending UPDATE on GigabitEthernet1 nbr 10.20.20.2 topoid 0
 AS 6553600, Flags 0x1, Seq 1/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1
EIGRP: Enqueueing UPDATE on GigabitEthernet1 topoid 0 iidbQ un/rely 0/1 serno 1-1
EIGRP: Received HELLO on GigabitEthernet1 nbr 10.20.20.2
 AS 6553601, Flags 0x0, Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/1 peerQ un/rely 0/1
EIGRP: Received UPDATE on GigabitEthernet1 nbr 10.20.20.2
 AS 6553600, Flags 0x1, Seq 1/0 interfaceQ 0/0 iidbQ un/rely 0/1 peerQ un/rely 0/1
EIGRP: Enqueueing UPDATE on GigabitEthernet1 nbr 10.20.20.2 topoid 0 iidbQ un/rely 0/0 peerQ un/rely 0/1 serno 1-1
EIGRP: Received UPDATE on GigabitEthernet1 nbr 10.20.20.2
 AS 6553600, Flags 0x1, Seq 1/1 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: GigabitEthernet1 multicast flow blocking cleared
, last received seq 1, out of sequence, this seq 1
EIGRP: Enqueueing ACK on GigabitEthernet1 nbr 10.20.20.2 topoid 0
 Ack seq 1 iidbQ un/rely 0/1 peerQ un/rely 1/0
EIGRP: Suppressed ACK 1 to 10.20.20.2 on GigabitEthernet1
EIGRP: Requeued unicast on GigabitEthernet1
EIGRP: Requeued unicast on GigabitEthernet1
EIGRP: Received HELLO on GigabitEthernet1 nbr 10.20.20.2
 AS 6553601, Flags 0x0, Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
EIGRP: Receiving TOPOLIST on GigabitEthernet1 - 0 items 
EIGRP: Sending TOPOLIST on GigabitEthernet1 - 1 items
EIGRP: Sending HELLO on GigabitEthernet1
 AS 6553601, Flags 0x0, Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
EIGRP: Received UPDATE on GigabitEthernet1 nbr 10.20.20.2
 AS 6553600, Flags 0x1, Seq 1/1 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
, last received seq 1, out of sequence, this seq 1
EIGRP: Enqueueing ACK on GigabitEthernet1 nbr 10.20.20.2 topoid 0
 Ack seq 1 iidbQ un/rely 0/0 peerQ un/rely 1/0
EIGRP: Sending ACK on GigabitEthernet1 nbr 10.20.20.2 topoid 0
 AS 6553600, Flags 0x0, Seq 0/1 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 1/0
EIGRP: Received UPDATE on GigabitEthernet1 nbr 10.20.20.2
 AS 6553858, Flags 0x0, Seq 2/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
EIGRP: Enqueueing ACK on GigabitEthernet1 nbr 10.20.20.2 topoid 0
 Ack seq 2 iidbQ un/rely 0/0 peerQ un/rely 1/0
EIGRP-IPv4(Default-IP-Routing-Table:100): route installed for 172.16.0.0 ()
EIGRP-IPv4(Default-IP-Routing-Table:100): route installed for 172.16.1.0 ()
EIGRP-IPv4(Default-IP-Routing-Table:100): route installed for 192.168.1.0 ()
EIGRP: Sending ACK on GigabitEthernet1 nbr 10.20.20.2 topoid 0
 AS 6553600, Flags 0x0, Seq 0/2 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 1/0

Additional debug commands

ASA1# debug eigrp ?

  fsm             EIGRP Dual Finite State Machine events/actions
  neighbors       EIGRP neighbors
  packets         EIGRP packets
  transmit        EIGRP transmission events
  user-interface  EIGRP User Interface
Verify EIGRP neighbor table
ASA1# show eigrp neighbors 
EIGRP-IPv4 neighbors for process 100
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
0   10.20.20.2              Gi1              13  00:00:38 1    200   0   1

NOTE: Q count 0 means healthy neighbor relationship. Ideally, Q count stands for the no. of eigrp packets ( query,reply,update), this device is trying to send to next device.

Verify the interface running EIGRP
ASA1# show eigrp interfaces inside 
EIGRP-IPv4 interfaces for process 100

                        Xmit Queue   Mean   Pacing Time   Multicast    Pending
Interface        Peers  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes
inside             1        0/0       963       0/1         4817           0
Verify the EIGRP topology table
ASA1# show eigrp topology

EIGRP-IPv4 Topology Table for AS(100)/ID(10.20.20.1)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
 r - reply Status, s - sia Status

P 10.10.10.0 255.255.255.0, 1 successors, FD is 28160
 via Connected, GigabitEthernet0
P 10.20.20.0 255.255.255.0, 1 successors, FD is 28160
 via Connected, GigabitEthernet1
P 192.168.1.0 255.255.255.0, 1 successors, FD is 156160
 via 10.20.20.2 (156160/128256), GigabitEthernet1
P 172.16.0.0 255.255.255.0, 1 successors, FD is 156160
 via 10.20.20.2 (156160/128256), GigabitEthernet1
P 172.16.1.0 255.255.255.0, 1 successors, FD is 156160
 via 10.20.20.2 (156160/128256), GigabitEthernet1

NOTE: Even though n/w 10.10.10.0/24 and 10.20.20.0/24 are directly connected n/w of ASA1, because of network commands, these networks will be included in EIGRP’s topology table.

Verify the route-table
ASA1# show route | beg Gateway
Gateway of last resort is not set

D    172.16.0.0 255.255.255.0 [90/156160] via 10.20.20.2, 0:00:16, inside
D    172.16.1.0 255.255.255.0 [90/156160] via 10.20.20.2, 0:00:16, inside
C    10.20.20.0 255.255.255.0 is directly connected, inside
C    10.10.10.0 255.255.255.0 is directly connected, outside
D    192.168.1.0 255.255.255.0 [90/156160] via 10.20.20.2, 0:00:16, inside
R2# show ip route eigrp | beg Gateway
Gateway of last resort is not set
      10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
D        10.10.10.0/24 [90/284160] via 10.20.20.1, 00:00:03, Ethernet0/1

I hope you enjoyed this article. Please feel free to leave any comment or feedback.

 

LinkedIn
Facebook
Facebook
Google+
http://netfixpro.com/eigrp-config-asa/
RSS
Follow by Email

Ashutosh Patel

Ashutosh Patel is the Author and editor of netfixpro.com. He currently works as a Network Security Architect. Follow him on following social media to know more about him.

3 thoughts on “HOW TO: EIGRP configuration (basic) on Cisco ASA firewall

  • Pingback: EIGRP configuration (Advanced) on Cisco ASA firewall – NetFixPro

  • November 12, 2016 at 10:51 PM
    Permalink

    Excellent introduction about ASA firewall.

    It would be great if more about ASA firewall be made like difference between a normal router and ASA firewall router, where it is placed like at core or edge of a network, and how it is effectively utilized like benefits.

    I would be highly grateful, if you write about SNMP in detail, a simple configuration, and daily uses. How it is different from Syslog and other tools like PRTG,

    Thanks and kind regards,

    Mukesh Kumar

    Reply
    • November 16, 2016 at 9:55 AM
      Permalink

      Sure thing. Will do. Subscribe to my newsletter so you can email notification whenever I publish any new article.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Show Buttons
Hide Buttons

Enjoy this article? Please spread the word :)