Cisco ASA – Reverse Route Injection with EIGRP

KB ID 0001137 


I’ve followed your Reverse Route Injection article and its not working? This email dropped in my mailbox a while back As it turns out the article I had written was for OSPF, and this chap was using EIGRP. So I ran it up with EIGRP as well to test.

Heres my topology, I want to inject the route for the remote site, into my internal EIGRP routing table.



Assuming EIGRP is already setup between the ASA and the LAN (i.e. Core Switch).


Petes-ASA# show run router
router eigrp 20
 no auto-summary
 passive-interface default
 no passive-interface inside
 redistribute static


Core-SW#show run | sec router
router eigrp 20
 no auto-summary

Also assuming you already have a site to site VPN established and working.

Petes-ASA# show cry isakmp 

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer:
    Type    : L2L             Role    : responder 
    Rekey   : no              State   : MM_ACTIVE 

Petes-ASA# show cry ipsec sa
interface: outside
    Crypto map tag: CRYPTO-MAP, seq num: 1, local addr:

      access-list VPN-INTERESTING-TRAFIC extended permit ip 
      local ident (addr/mask/prot/port): (
      remote ident (addr/mask/prot/port): (

      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

Show the Cryptomap, then add the RRI.

Petes-ASA# show run crypto   
crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-aes-256 esp-sha-hmac 
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFIC
crypto map CRYPTO-MAP 1 set pfs 
crypto map CRYPTO-MAP 1 set peer 
crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400

Petes-ASA# configure terminal 
Petes-ASA(config)# crypto map CRYPTO-MAP 1 set reverse-route

Create a ‘Prefix-List’ for the routes to inject (i.e the remote LAN at the other end of the VPN tunnel).

Petes-ASA(config)# prefix-list PL-VPN-ROUTES description Route-Map For Injecting Remote VPN Routes
Petes-ASA(config)# prefix-list PL-VPN-ROUTES seq 5 permit

Create a ‘route-map’ to inject your prefix-list.

Petes-ASA(config)# route-map RM-VPN-ROUTES permit 10
Petes-ASA(config-route-map)# match ip address prefix-list PL-VPN-ROUTE 
Petes-ASA(config-route-map)# set metric 1200
Petes-ASA(config-route-map)# exit
Petes-ASA(config)# route-map RM-VPN-ROUTES deny 100

With the tunnel up check your internal routing table;

Update: As pointed out by Steve Housego

You’ve missed the route-map off the re-distribute command,

router eigrp 20
redistribute static route-map RM-VPN-ROUTES

Core-SW#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is to network is subnetted, 4 subnets
C is directly connected, GigabitEthernet2/0
C is directly connected, GigabitEthernet3/0
C is directly connected, GigabitEthernet1/0
D EX [170/28416] via, 00:00:02, GigabitEthernet1/0
D*EX [170/28416] via, 00:00:02, GigabitEthernet1/0

Related Articles, References, Credits, or External Links

Cisco ASA – Reverse Route Injection with OSPF

Author: PeteLong

Share This Post On


  1. I have two independent ASA’s, each with its own Internet connection, connected to a Catalyst 3750 which is the default gateway for the internal network. I have a remote ASA configured (crypto map with two peers, originate-only) to establish a site-to-site VPN to either ASA. Per your advice, I am using RRI over EIGRP to distribute my VPN nets internally and that appears to work great. What I’m missing is the default gateway ( How can I also redistribute that? Should I add it to my existing Prefix List? Set up a separate Route Map? Skip EIGRP for that part and set static routes on the 3750? (I have one now, but obviously that doesn’t provide Internet failover.) For what it’s worth, the Internet connections on the ASA’s use PPPoE setroute so no static route defined by me, and the 3750 BASE image doesn’t support IP SLA. I thought about using a second static gateway with a higher metric, but I’m not sure if that is the best way to accomplish this.

    Post a Reply
    • Hi,

      Im assuming the default route on the 3750 is currently pointing to one of the ASA’s so you manually have to fail to over if you lose an ASA? If so simply put another default route with a higher metric to the other ASA?


      Post a Reply
      • Thanks, you are correct. I was thinking about doing that, but concerned that failover wouldn’t occur without IP SLA tracking something beyond the device. If the ASA was available but the outside line down, wouldn’t the switch still attempt to send Internet traffic to it?

        Post a Reply
      • I simply added to my prefix list and it works! Thanks!

        Post a Reply
  2. You’ve missed the route-map off the re-distribute command,

    router eigrp 20
    redistribute static route-map RM-VPN-ROUTES

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *