HOW TO: EIGRP configuration (basic) on Cisco ASA firewall
In this article, I will demonstrate some basic configuration of EIGRP on cisco ASA firewall. I will configure EIGRP neighbor relationship between an ASA and a router. I will also identify some of the mandatory and optional configuration parameters followed by debugging of neighbor relationship and verification of EIGRP.
To best describe this scenario, I have one Cisco ASA firewall and two routers connected as shown in the above-mentioned diagram. ASA1 is connected to R1 using Gig 0 interface (outside interface) and connected to R2 using Gig 1 interface (inside interface). In this lab, I will configure EIGRP neighbor relationship between ASA1 and R2.
Click here →
to view the initial configuration
ASA1
interface GigabitEthernet0 no shutdown nameif outside ip address 10.10.10.2 255.255.255.0 ! interface GigabitEthernet1 no shutdown nameif inside ip address 10.20.20.1 255.255.255.0 ! route outside 10.50.50.0 255.255.255.0 10.10.10.1 route outside 10.50.51.0 255.255.255.0 10.10.10.1
R1
interface Loopback0 ip address 10.50.50.1 255.255.255.0 ! interface Loopback1 ip address 10.50.51.1 255.255.255.0 ! interface Ethernet0/0 ip address 10.10.10.1 255.255.255.0 no shutdown
R2
interface Loopback0 ip address 172.16.0.1 255.255.255.0 ! interface Loopback1 ip address 172.16.1.1 255.255.255.0 ! interface Loopback2 ip address 192.168.1.1 255.255.255.0 ! interface Ethernet0/1 ip address 10.20.20.2 255.255.255.0 no shutdown
Configure EIGRP
Cisco ASA firewall supports EIGRP dynamic routing protocol for IPv4 and only single routing process is allowed. For simplicity, I am going to configure EIGRP for all networks (using 0.0.0.0) on R2.
R2 configuration
R2(config)#router eigrp 100 R2(config-router)# network 0.0.0.0
ASA1 configuration
ASA1(config)# router eigrp 100 ASA1(config-router)# passive-interface default ASA1(config-router)# no passive-interface inside ASA1(config-router)# no auto-summary ASA1(config-router)# network 10.20.20.0 255.255.255.0 ASA1(config-router)# network 10.10.10.2 255.255.255.255
- Enable EIGRP process (mandatory) — configure router eigrp <ASN> command in global configuration to globally activates EIGRP within the given autonomous system number.
- NOTE: Only single routing process is allowed; If you try to create another EIGRP process, you will receive the following error. “Too many IP routing processes for this routing protocol
ERROR: Unable to create router process”
- NOTE: Only single routing process is allowed; If you try to create another EIGRP process, you will receive the following error. “Too many IP routing processes for this routing protocol
- Disable auto-summary (mandatory) — configure the process-level command no auto-summary to disable the classful network boundary auto-summarization function of EIGRP, which by default is enabled.
- Enable interfaces for EIGRP (mandatory) — configure the process-level command network <subnet> <mask> to activate sending and receiving of EIGRP hello multicast packets on interfaces matching the command to establish adjacencies.
- NOTE: by configuring network command for 10.20.20.0/24 n/w, I am enabling EIGRP for any interface IP address part of that /24 subnet, while configuring network command for 10.10.10.2/32 n/w, I am enabling EIGRP ONLY for that particular IP address.
- Define passive interfaces (optional) — configure the process-level command passive-interface <nameif>, to disable sending and receiving of EIGRP hello packets, so no neighbors can be formed.
- In our example, I am only allowing the neighbor relationship to be formed over inside interface. Even though I have network command configured for an outside interface, because of passive-interface default command, no neighbor can be formed over outside interface as of now.
Verify EIGRP
Debug of EIGRP packets
Click here →
to view the debugging of EIGRP packets
debug eigrp
ASA1# debug eigrp packets EIGRP Packets debugging is on (UPDATE, REQUEST, QUERY, REPLY, HELLO, PROBE, ACK, STUB, SIAQUERY, SIAREPLY) ASA1# EIGRP: Sending HELLO on GigabitEthernet1 AS 6553601, Flags 0x0, Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 EIGRP: Received HELLO on GigabitEthernet1 nbr 10.20.20.2 AS 6553601, Flags 0x0, Seq 0/0 interfaceQ 0/0 EIGRP: Adding Version2 Peer (1 Peers, 1 V2 Peers) EIGRP: Enqueueing UPDATE on GigabitEthernet1 nbr 10.20.20.2 topoid 0 iidbQ un/rely 0/1 peerQ un/rely 0/0 EIGRP: Sending TOPOLIST on GigabitEthernet1 - 1 items EIGRP: Sending HELLO on GigabitEthernet1 AS 6553601, Flags 0x0, Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/1 EIGRP: Requeued unicast on GigabitEthernet1 EIGRP: Forcing multicast xmit on GigabitEthernet1 EIGRP: Sending UPDATE on GigabitEthernet1 nbr 10.20.20.2 topoid 0 AS 6553600, Flags 0x1, Seq 1/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1 EIGRP: Enqueueing UPDATE on GigabitEthernet1 topoid 0 iidbQ un/rely 0/1 serno 1-1 EIGRP: Received HELLO on GigabitEthernet1 nbr 10.20.20.2 AS 6553601, Flags 0x0, Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/1 peerQ un/rely 0/1 EIGRP: Received UPDATE on GigabitEthernet1 nbr 10.20.20.2 AS 6553600, Flags 0x1, Seq 1/0 interfaceQ 0/0 iidbQ un/rely 0/1 peerQ un/rely 0/1 EIGRP: Enqueueing UPDATE on GigabitEthernet1 nbr 10.20.20.2 topoid 0 iidbQ un/rely 0/0 peerQ un/rely 0/1 serno 1-1 EIGRP: Received UPDATE on GigabitEthernet1 nbr 10.20.20.2 AS 6553600, Flags 0x1, Seq 1/1 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/2 EIGRP: GigabitEthernet1 multicast flow blocking cleared , last received seq 1, out of sequence, this seq 1 EIGRP: Enqueueing ACK on GigabitEthernet1 nbr 10.20.20.2 topoid 0 Ack seq 1 iidbQ un/rely 0/1 peerQ un/rely 1/0 EIGRP: Suppressed ACK 1 to 10.20.20.2 on GigabitEthernet1 EIGRP: Requeued unicast on GigabitEthernet1 EIGRP: Requeued unicast on GigabitEthernet1 EIGRP: Received HELLO on GigabitEthernet1 nbr 10.20.20.2 AS 6553601, Flags 0x0, Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0 EIGRP: Receiving TOPOLIST on GigabitEthernet1 - 0 items EIGRP: Sending TOPOLIST on GigabitEthernet1 - 1 items EIGRP: Sending HELLO on GigabitEthernet1 AS 6553601, Flags 0x0, Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 EIGRP: Received UPDATE on GigabitEthernet1 nbr 10.20.20.2 AS 6553600, Flags 0x1, Seq 1/1 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0 , last received seq 1, out of sequence, this seq 1 EIGRP: Enqueueing ACK on GigabitEthernet1 nbr 10.20.20.2 topoid 0 Ack seq 1 iidbQ un/rely 0/0 peerQ un/rely 1/0 EIGRP: Sending ACK on GigabitEthernet1 nbr 10.20.20.2 topoid 0 AS 6553600, Flags 0x0, Seq 0/1 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 1/0 EIGRP: Received UPDATE on GigabitEthernet1 nbr 10.20.20.2 AS 6553858, Flags 0x0, Seq 2/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0 EIGRP: Enqueueing ACK on GigabitEthernet1 nbr 10.20.20.2 topoid 0 Ack seq 2 iidbQ un/rely 0/0 peerQ un/rely 1/0 EIGRP-IPv4(Default-IP-Routing-Table:100): route installed for 172.16.0.0 () EIGRP-IPv4(Default-IP-Routing-Table:100): route installed for 172.16.1.0 () EIGRP-IPv4(Default-IP-Routing-Table:100): route installed for 192.168.1.0 () EIGRP: Sending ACK on GigabitEthernet1 nbr 10.20.20.2 topoid 0 AS 6553600, Flags 0x0, Seq 0/2 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 1/0
Additional debug commands
ASA1# debug eigrp ? fsm EIGRP Dual Finite State Machine events/actions neighbors EIGRP neighbors packets EIGRP packets transmit EIGRP transmission events user-interface EIGRP User Interface
Verify EIGRP neighbor table
ASA1# show eigrp neighbors EIGRP-IPv4 neighbors for process 100 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 10.20.20.2 Gi1 13 00:00:38 1 200 0 1
NOTE: Q count 0 means healthy neighbor relationship. Ideally, Q count stands for the no. of eigrp packets ( query,reply,update), this device is trying to send to next device.
Verify the interface running EIGRP
ASA1# show eigrp interfaces inside EIGRP-IPv4 interfaces for process 100 Xmit Queue Mean Pacing Time Multicast Pending Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes inside 1 0/0 963 0/1 4817 0
Verify the EIGRP topology table
ASA1# show eigrp topology EIGRP-IPv4 Topology Table for AS(100)/ID(10.20.20.1) Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - reply Status, s - sia Status P 10.10.10.0 255.255.255.0, 1 successors, FD is 28160 via Connected, GigabitEthernet0 P 10.20.20.0 255.255.255.0, 1 successors, FD is 28160 via Connected, GigabitEthernet1 P 192.168.1.0 255.255.255.0, 1 successors, FD is 156160 via 10.20.20.2 (156160/128256), GigabitEthernet1 P 172.16.0.0 255.255.255.0, 1 successors, FD is 156160 via 10.20.20.2 (156160/128256), GigabitEthernet1 P 172.16.1.0 255.255.255.0, 1 successors, FD is 156160 via 10.20.20.2 (156160/128256), GigabitEthernet1
NOTE: Even though n/w 10.10.10.0/24 and 10.20.20.0/24 are directly connected n/w of ASA1, because of network commands, these networks will be included in EIGRP’s topology table.
Verify the route-table
ASA1# show route | beg Gateway Gateway of last resort is not set D 172.16.0.0 255.255.255.0 [90/156160] via 10.20.20.2, 0:00:16, inside D 172.16.1.0 255.255.255.0 [90/156160] via 10.20.20.2, 0:00:16, inside C 10.20.20.0 255.255.255.0 is directly connected, inside C 10.10.10.0 255.255.255.0 is directly connected, outside D 192.168.1.0 255.255.255.0 [90/156160] via 10.20.20.2, 0:00:16, inside
R2# show ip route eigrp | beg Gateway Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks D 10.10.10.0/24 [90/284160] via 10.20.20.1, 00:00:03, Ethernet0/1
I hope you enjoyed this article. Please feel free to leave any comment or feedback.
Pingback: EIGRP configuration (Advanced) on Cisco ASA firewall – NetFixPro
Excellent introduction about ASA firewall.
It would be great if more about ASA firewall be made like difference between a normal router and ASA firewall router, where it is placed like at core or edge of a network, and how it is effectively utilized like benefits.
I would be highly grateful, if you write about SNMP in detail, a simple configuration, and daily uses. How it is different from Syslog and other tools like PRTG,
Thanks and kind regards,
Mukesh Kumar
Sure thing. Will do. Subscribe to my newsletter so you can email notification whenever I publish any new article.