Cisco ASA – Reverse Route Injection with EIGRP

KB ID 0001137 

Problem

I’ve followed your Reverse Route Injection article and its not working? This email dropped in my mailbox a while back As it turns out the article I had written was for OSPF, and this chap was using EIGRP. So I ran it up with EIGRP as well to test.

Heres my topology, I want to inject the route for the remote site, into my internal EIGRP routing table.

Solution

Assuming EIGRP is already setup between the ASA and the LAN (i.e. Core Switch).

[box]

ASA

Petes-ASA# show run router
!
router eigrp 20
 no auto-summary
 network 10.1.0.0 255.255.0.0
 passive-interface default
 no passive-interface inside
 redistribute static
!

Switch

Core-SW#show run | sec router
router eigrp 20
 network 10.1.0.0 0.0.255.255
 network 10.2.0.0 0.0.255.255
 network 10.3.0.0 0.0.255.255
 no auto-summary

[/box]

Also assuming you already have a site to site VPN established and working.

[box]

Petes-ASA# show cry isakmp 

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 192.168.249.254
    Type    : L2L             Role    : responder 
    Rekey   : no              State   : MM_ACTIVE 


Petes-ASA# show cry ipsec sa
interface: outside
    Crypto map tag: CRYPTO-MAP, seq num: 1, local addr: 192.168.253.254

      access-list VPN-INTERESTING-TRAFIC extended permit ip 10.1.0.0 255.255.0.0 10.250.0.0 255.255.0.0 
      local ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.250.0.0/255.255.0.0/0/0)
      current_peer: 192.168.249.254

      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

[/box]

Show the Cryptomap, then add the RRI.

[box]

Petes-ASA# show run crypto   
crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-aes-256 esp-sha-hmac 
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFIC
crypto map CRYPTO-MAP 1 set pfs 
crypto map CRYPTO-MAP 1 set peer 192.168.249.254 
crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400


Petes-ASA# configure terminal 
Petes-ASA(config)# crypto map CRYPTO-MAP 1 set reverse-route
Petes-ASA(config)#

[/box]

Create a ‘Prefix-List’ for the routes to inject (i.e the remote LAN at the other end of the VPN tunnel).

[box]

Petes-ASA(config)# prefix-list PL-VPN-ROUTES description Route-Map For Injecting Remote VPN Routes
Petes-ASA(config)# prefix-list PL-VPN-ROUTES seq 5 permit 10.250.0.0/16

[/box]

Create a ‘route-map’ to inject your prefix-list.

[box]

Petes-ASA(config)# route-map RM-VPN-ROUTES permit 10
Petes-ASA(config-route-map)# match ip address prefix-list PL-VPN-ROUTE 
Petes-ASA(config-route-map)# set metric 1200
Petes-ASA(config-route-map)# exit
Petes-ASA(config)# route-map RM-VPN-ROUTES deny 100

[/box]

With the tunnel up check your internal routing table;

Update: As pointed out by SteveH

You’ve missed the route-map off the re-distribute command,

router eigrp 20
redistribute static route-map RM-VPN-ROUTES

[box]

Core-SW#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.1.1.1 to network 0.0.0.0

     10.0.0.0/16 is subnetted, 4 subnets
C       10.2.0.0 is directly connected, GigabitEthernet2/0
C       10.3.0.0 is directly connected, GigabitEthernet3/0
C       10.1.0.0 is directly connected, GigabitEthernet1/0
D EX    10.250.0.0 [170/28416] via 10.1.1.1, 00:00:02, GigabitEthernet1/0
D*EX 0.0.0.0/0 [170/28416] via 10.1.1.1, 00:00:02, GigabitEthernet1/0

[/box]

Related Articles, References, Credits, or External Links

Cisco ASA – Reverse Route Injection with OSPF