EIGRP configuration (Advanced) on Cisco ASA firewall

LinkedIn
Facebook
Facebook
Google+
https://netfixpro.com/eigrp-config-adv-asa/
RSS
Follow by Email

In  this article, I will demonstrate some advanced configuration examples with EIGRP on the Cisco ASA firewall. I am using the same network topology used in the previous article EIGRP configuration (basic) on Cisco ASA firewall. I would highly recommend reading that article before proceeding further with this lab. Here is the list of topics covered in this post.

  1. EIGRP Authentication
  2. Route redistribution
  3. Route Filtering
  4. AD (Admin Distance) change
  5. Hello and Hold timer change
  6. Route Summarization

As shown in the above-mentioned diagram, I have one Cisco ASA firewall (running 9.4.1 code) and two routers (running 15.4 code) connected as shown in the above-mentioned diagram. ASA1 is connected to R1 using Gig 0 interface (outside interface) and connected to R2 using Gig 1 interface (inside interface). Here are the pre-configured initial configurations of all 3 devices that you will require for this lab.

Click here →

to view the initial configuration

ASA1

interface GigabitEthernet0
 no shutdown
 nameif outside
 ip address 10.10.10.2 255.255.255.0
!
interface GigabitEthernet1
 no shutdown
 nameif inside
 ip address 10.20.20.1 255.255.255.0
!
router eigrp 100
 passive-interface default
 no passive-interface inside 
 no auto-summary 
 network 10.20.20.0 255.255.255.0 
 network 10.10.10.2 255.255.255.255
!
route outside 10.50.50.0 255.255.255.0 10.10.10.1
route outside 10.50.51.0 255.255.255.0 10.10.10.1

R1

interface Loopback0
 ip address 10.50.50.1 255.255.255.0
!
interface Loopback1
 ip address 10.50.51.1 255.255.255.0
!
interface Ethernet0/0
 ip address 10.10.10.1 255.255.255.0
 no shutdown

R2

interface Loopback0
 ip address 172.16.0.1 255.255.255.0
!
interface Loopback1
 ip address 172.16.1.1 255.255.255.0
!
interface Loopback2
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1
 ip address 10.20.20.2 255.255.255.0
 no shutdown
!
router eigrp 100
 network 0.0.0.0
EIGRP Authentication

You must configure EIGRP authentication for security reasons. EIGRP only supports MD5 authentication. EIGRP doesn’t support key chain configuration on Cisco ASA firewall so only a single key can be configured per interface as shown below. Let’s enable the authentication between ASA1 and R2 on their inter-connected interfaces.

ASA1

ASA1(config)# int GigabitEthernet1
ASA1(config-if)# authentication key eigrp 100 P@$$w0rd key-id 1
ASA1(config-if)# authentication mode eigrp 100 md5

R2

R2(config-router)#key chain KEY-CHAIN
R2(config-keychain)#key 1
R2(config-keychain-key)#key-string P@$$w0rd
!
R2(config)#int ethernet 0/1
R2(config-if)#ip authentication mode eigrp 100 md5
R2(config-if)#ip authentication key-chain eigrp 100 KEY-CHAIN
Route redistribution

By default, EIGRP has AD of 90 for internal routes and AD of 170 for external routes. Internal routes appear as D routes and External routes appear as D EX routes in the routing table. The Cisco ASA can redistribute RIP, OSPF, Static and Connected routes in EIGRP.

In this example, I will redistribute static routes for 50.x and 51.x networks into EIGRP on ASA1 so R2 can learn those routes using EIGRP. It always a good practice to limit/control redistributed routes using route-map.

Configure ASA1

ASA1(config)# prefix-list STATIC-RT-PL seq 5 permit 10.50.50.0/24 
ASA1(config)# prefix-list STATIC-RT-PL seq 10 permit 10.50.51.0/24 
! 
ASA1(config)# route-map STATIC-RT-RM permit 5 
ASA1(config-route-map)# match ip address prefix-list STATIC-RT-PL 
!
ASA1(config-route-map)# router eigrp 100 
ASA1(config-router)# redistribute static route-map STATIC-RT-RM

Verify routes on R2

R2#show ip route eigrp | beg Gateway
Gateway of last resort is not set
      10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
D        10.10.10.0/24 [90/284160] via 10.20.20.1, 00:09:33, Ethernet0/1
D EX     10.50.50.0/24 [170/284160] via 10.20.20.1, 00:00:15, Ethernet0/1
D EX     10.50.51.0/24 [170/284160] via 10.20.20.1, 00:00:15, Ethernet0/1
NOTE:

When redistributing routes into EIGRP, a metric must be specified otherwise, prefixes will not be advertised. for example, redistribute ospf 100 metric 10000 100 255 1 1500

However, Static and Connected routes are exceptions to this, where the metric is automatically determined by the ASA. Hence metric doesn’t need to be specified manually.

Route Filtering

Using route filtering you can control routes sent or received in EIGRP. For route-filtering, you can only use standard access-list on the Cisco ASA.

Let’s verify the state of the ASA1’s route table before I filter some routes.

ASA1# show route inside | beg Gateway
Gateway of last resort is not set

D 172.16.0.0 255.255.255.0 [90/156160] via 10.20.20.2, 0:14:39, inside
D 172.16.1.0 255.255.255.0 [90/156160] via 10.20.20.2, 0:14:39, inside
C 10.20.20.0 255.255.255.0 is directly connected, inside
D 192.168.1.0 255.255.255.0 [90/156160] via 10.20.20.2, 0:14:38, inside

Configure ASA1

In this example, I will only allow 172.16.x.x networks IN-BOUND from R2 and filter all other routes on ASA1 from R2.

ASA1(config)# access-list 10 standard permit 172.16.0.0 255.255.255.0
ASA1(config)# access-list 10 standard permit 172.16.1.0 255.255.255.0
!
ASA1(config)# router eigrp 100
ASA1(config-router)# distribute-list 10 in interface inside

Verify ASA1

ASA1# sh route inside | beg Gateway
Gateway of last resort is not set

D 172.16.0.0 255.255.255.0 [90/156160] via 10.20.20.2, 0:00:03, inside
D 172.16.1.0 255.255.255.0 [90/156160] via 10.20.20.2, 0:00:03, inside
C 10.20.20.0 255.255.255.0 is directly connected, inside
AD (Admin Distance) change

By default, EIGRP has AD of 90 for internal routes and AD of 170 for external routes. AD change is locally significant only. In this example, I will modify admin distance for internal routes to 100 and external routes to 200.

Configure ASA1

ASA1(config)# router eigrp 100
ASA1(config-router)# distance eigrp 100 200

Verify ASA1

ASA1# sh route inside | beg Gateway
Gateway of last resort is not set

D 172.16.0.0 255.255.255.0 [100/156160] via 10.20.20.2, 0:00:03, inside
D 172.16.1.0 255.255.255.0 [100/156160] via 10.20.20.2, 0:00:03, inside
C 10.20.20.0 255.255.255.0 is directly connected, inside

Verify R2

R2#show ip route eigrp | beg Gateway
Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
D 10.10.10.0/24 [90/284160] via 10.20.20.1, 00:00:56, Ethernet0/1
D EX 10.50.50.0/24 [170/284160] via 10.20.20.1, 00:00:56, Ethernet0/1
D EX 10.50.51.0/24 [170/284160] via 10.20.20.1, 00:00:56, Ethernet0/1

NOTE that distance did not change on R2 since it is locally significant only on ASA1.

Hello and Hold timer change

By default, EIGRP has 5 sec of hello timer and 15 sec of hold timer on an Ethernet LAN network. Unlike OSPF, hello & hold timer doesn’t need to match to bring up the EIGRP neighbor relationship.

Let’s verify hold timer on R2 before we make any changes. The hold time indicates to EIGRP neighbors the length of time the neighbor should consider the ASA reachable. In this case, we are seeing 12 sec of hold time on R2 that means ASA1 has advertised at least 15 sec of default hold timer to R2.

R2#show ip eigrp neighbors 
EIGRP-IPv4 Neighbors for AS(100)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                   (sec)         (ms)       Cnt Num
0   10.20.20.1              Et0/1                    12 00:00:05   20   120  0  21

Configure ASA1

In this example, I will configure 2 sec of hello timer and 4 sec of hold timer on ASA1.

ASA1(config)# interface GigabitEthernet1
ASA1(config-if)# hello-interval eigrp 100 2
ASA1(config-if)# hold-time eigrp 100 4

Verify R2

ASA1 is now advertising new hold timer to R2 now.

R2#sh ip eigrp neighbors 
EIGRP-IPv4 Neighbors for AS(100)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                   (sec)         (ms)       Cnt Num
0   10.20.20.1              Et0/1                     3 00:00:05   20   120  0  21
Route Summarization

One of the advantages of EIGRP is its route summarization. You can pretty much summarize routes in EIGRP anywhere in your network. Route summarization is recommended to limit the size of the routing table and EIGRP query domain. It filters any subnets contained within the summary from the outgoing updates and sends only the configured summary network.

Let’s verify R2’s route table before making any changes on ASA1.

R2#sh ip route eigrp | beg Gateway
Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
D        10.10.10.0/24 [90/284160] via 10.20.20.1, 00:00:07, Ethernet0/1
D EX     10.50.50.0/24 [170/284160] via 10.20.20.1, 00:00:07, Ethernet0/1
D EX     10.50.51.0/24 [170/284160] via 10.20.20.1, 00:00:07, Ethernet0/1

Configure ASA1

In this example, I will summarize both 10.50.50.0/24 and 10.50.51.0/24 network into one /23 network on ASA1.

ASA1(config)# interface GigabitEthernet1
ASA1(config-if)# summary-address eigrp 100 10.50.50.0 255.255.254.0

Verify R2

R2#sh ip route eigrp | beg Gateway
Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks
D        10.10.10.0/24 [90/284160] via 10.20.20.1, 00:00:09, Ethernet0/1
D        10.50.50.0/23 [90/284160] via 10.20.20.1, 00:00:09, Ethernet0/1

NOTE: Even though I am redistributing static routes on ASA1 (As explained earlier), because of route summarization we are seeing an internal summary /23 network for external redistributed networks.

NOTE:
Summarized routes are always advertised as internal routes

I hope you enjoyed reading this article. Please feel free to leave any comment or feedback.

LinkedIn
Facebook
Facebook
Google+
https://netfixpro.com/eigrp-config-adv-asa/
RSS
Follow by Email

Ashutosh Patel

Ashutosh Patel is the Author and editor of netfixpro.com. He currently works as a Network Security Architect. Follow him on following social media to know more about him.

Leave a Reply

Your email address will not be published. Required fields are marked *

Show Buttons
Hide Buttons

Enjoy this article? Please spread the word :)