Hi Rene, I have a question regarding recusive routing and the filtering of routing interfaces.
I have a network similar to the one shown in the EIGRP Route-MAP Filtering lesson. The difference I have in my network is that the Tunnel areas has two ASAs so that if the primary route fails routing information can be sent over a tunnel to the remote site via the internet. Routing on this network is provided bt EIGRP. Currently when the primary route fails the link that goes over the internet goes into recursive routing and fails.
interface Tunnel0
ip address 192.168.100.1 255.255.255.0
tunnel source GigabitEthernet2/0.40
tunnel destination 10.164.58.33
!
interface Loopback0
description test interface
ip address 10.164.56.8 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface GigabitEthernet1/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet2/0
description SubInterfaced
no ip address
negotiation auto
!
interface GigabitEthernet2/0.20
description Users
encapsulation dot1Q 20
ip address 10.164.57.1 255.255.255.128
no snmp trap link-status
!
interface GigabitEthernet2/0.30
description Servers
encapsulation dot1Q 30
ip address 10.164.56.49 255.255.255.248
no snmp trap link-status
!
interface GigabitEthernet2/0.40
description ASATransit
encapsulation dot1Q 40
ip address 10.164.56.33 255.255.255.248
no snmp trap link-status
!
interface GigabitEthernet2/0.85
description Cloudbridge
encapsulation dot1Q 85
ip address 10.164.56.57 255.255.255.248
no snmp trap link-status
!
interface GigabitEthernet2/0.90
description EntelMPLS
encapsulation dot1Q 90
ip address 192.168.1.252 255.255.255.0
no snmp trap link-status
!
interface GigabitEthernet2/0.360
description NetManagement
encapsulation dot1Q 360
ip address 10.164.56.41 255.255.255.248
no snmp trap link-status
!
interface GigabitEthernet3/0
description OptusTransit
ip address 10.164.56.1 255.255.255.248
negotiation auto
!
interface GigabitEthernet4/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet5/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet6/0
no ip address
shutdown
negotiation auto
!
router eigrp 10
redistribute connected
redistribute bgp 64973 metric 4000 10 255 1 1476
network 10.1.1.0 0.0.0.3
network 10.164.56.0 0.0.0.7
network 10.164.56.8 0.0.0.7
network 10.164.56.16 0.0.0.7
network 10.164.56.32 0.0.0.7
network 10.164.56.40 0.0.0.7
network 10.164.57.0 0.0.0.127
network 192.168.1.0
network 192.168.100.0
no auto-summary
eigrp router-id 1.1.1.1
neighbor 10.164.56.34 GigabitEthernet2/0.40
neighbor 192.168.100.2 Tunnel0
!
router bgp 64973
no synchronization
bgp log-neighbor-changes
network 10.164.57.128 mask 255.255.255.128
network 10.164.58.6 mask 255.255.255.255
network 10.164.58.32 mask 255.255.255.248
network 10.164.58.48 mask 255.255.255.248
network 10.164.59.0 mask 255.255.255.192
network 192.168.1.254 mask 255.255.255.255
network 192.168.3.1 mask 255.255.255.255
redistribute connected
neighbor 10.164.56.2 remote-as 64972
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.164.56.34
no ip http server
no ip http secure-server
!
!
!
ip access-list standard NET_192_100
permit 192.168.100.0 0.0.0.255
ip access-list standard NET_56
permit 10.164.56.32 0.0.0.7
!
ip access-list extended WCCP_GRE_Redirect
permit ip any any
ip access-list extended WCCP_Redirect
deny ip 0.0.0.0 255.255.248.0 0.0.0.0 255.255.248.0
permit ip any any
!
logging alarm informational
no cdp log mismatch duplex
!
route-map FILTER_OUT deny 10
match ip address NET_192_100
!
route-map FILTER_OUT permit 20
!
route-map FILT_OUT_56 deny 10
match ip address NET_56
!
route-map FILT_OUT_56 permit 20
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
!
!
end
!
interface Tunnel0
ip address 192.168.100.2 255.255.255.0
tunnel source GigabitEthernet2/0.40
tunnel destination 10.164.56.33
!
interface Loopback0
ip address 10.164.58.8 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface GigabitEthernet1/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet2/0
description SubInterfaced
no ip address
negotiation auto
!
interface GigabitEthernet2/0.10
description Servers
encapsulation dot1Q 10
ip address 10.164.59.1 255.255.255.192
ip wccp 53 redirect in
ip wccp 54 redirect in
no snmp trap link-status
!
interface GigabitEthernet2/0.20
description Users
encapsulation dot1Q 20
ip address 10.164.57.129 255.255.255.128
ip helper-address 10.164.59.41
ip wccp 53 redirect in
ip wccp 54 redirect in
no snmp trap link-status
!
interface GigabitEthernet2/0.30
description GuestAccess
encapsulation dot1Q 30
ip address 172.16.34.1 255.255.255.128
ip helper-address 10.164.59.41
ip helper-address 10.160.0.40
no snmp trap link-status
!
interface GigabitEthernet2/0.40
description ASAInside
encapsulation dot1Q 40
ip address 10.164.58.33 255.255.255.248
no snmp trap link-status
!
interface GigabitEthernet2/0.85
description Cloudbridge
encapsulation dot1Q 85
ip address 10.164.58.1 255.255.255.248
no snmp trap link-status
!
interface GigabitEthernet2/0.302
description EntelMPLS
encapsulation dot1Q 302
ip address 192.168.3.2 255.255.255.0
ip wccp 51 redirect in
ip wccp 52 redirect in
no snmp trap link-status
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet4/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet5/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet6/0
no ip address
shutdown
negotiation auto
!
router eigrp 10
network 10.164.56.66 0.0.0.0
network 10.164.57.128 0.0.0.127
network 10.164.58.1 0.0.0.0
network 10.164.58.8 0.0.0.0
network 10.164.58.32 0.0.0.7
network 10.164.59.1 0.0.0.0
network 192.168.3.0
network 192.168.100.0
distribute-list route-map FILT_OUT_58 out
no auto-summary
eigrp router-id 2.2.2.2
neighbor 10.164.58.34 GigabitEthernet2/0.40
neighbor 192.168.100.1 Tunnel0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.164.58.34
ip route 10.175.227.0 255.255.255.0 192.168.3.1 2
ip route 10.175.228.0 255.255.255.0 192.168.3.1 2
ip route 172.16.32.0 255.255.255.0 192.168.3.1 2
no ip http server
ip http access-class 20
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
!
ip access-list standard NET_192_100
permit 192.168.100.0 0.0.0.255
ip access-list standard NET_58
permit 10.164.58.32 0.0.0.7
!
ip access-list extended WCCP_Redirect_LAN_Ingress
deny ip any 10.164.56.0 0.0.7.255 log
permit ip 10.164.56.0 0.0.7.255 10.0.0.0 0.255.255.255 log
ip access-list extended WCCP_Redirect_WAN_Ingress
deny ip 10.164.56.0 0.0.7.255 any log
permit ip 10.0.0.0 0.255.255.255 10.164.56.0 0.0.7.255
!
logging alarm informational
no cdp log mismatch duplex
!
route-map FILTER_OUT deny 10
match ip address NET_192_100
!
route-map FILTER_OUT permit 20
!
route-map FILT_OUT_58 deny 10
match ip address NET_58
!
route-map FILT_OUT_58 permit 20
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
!
!
end
AWSANTASA01(config-router)# show run
: Saved
:
: Serial Number: 9ARGJW8UCR7
: Hardware: ASAv, 2048 MB RAM, CPU Pentium II 3465 MHz
:
ASA Version 9.5(2)
!
hostname AWSANTASA01
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet0/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
nameif INSIDE
security-level 100
ip address 10.164.56.34 255.255.255.248
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
nameif OUTSIDE
security-level 0
ip address 200.111.55.138 255.255.255.248
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list LAN1_LAN2 extended permit ip 10.164.56.32 255.255.255.248 10.164.58.32 255.255.255.248
pager lines 23
mtu INSIDE 1500
mtu OUTSIDE 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
router eigrp 10
eigrp stub connected
neighbor 10.164.56.33 interface INSIDE
network 10.164.32.0 255.255.255.248
network 10.164.56.32 255.255.255.248
redistribute connected
!
route OUTSIDE 0.0.0.0 0.0.0.0 200.111.55.137 2
route OUTSIDE 10.116.58.32 255.255.255.248 186.67.106.90 2
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 0.0.0.0 0.0.0.0 INSIDE
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set MY_TRANSFORM_SET esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map MY_CRYPTO_MAP 10 match address LAN1_LAN2
crypto map MY_CRYPTO_MAP 10 set peer 186.67.106.90
crypto map MY_CRYPTO_MAP 10 set ikev1 transform-set MY_TRANSFORM_SET
crypto map MY_CRYPTO_MAP 10 set security-association lifetime seconds 3600
crypto map MY_CRYPTO_MAP interface OUTSIDE
AWREQASA01# show run
: Saved
:
: Serial Number: 9AGGCHM29TA
: Hardware: ASAv, 2048 MB RAM, CPU Pentium II 3465 MHz
:
ASA Version 9.5(2)
!
hostname AWREQASA01
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet0/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
nameif OUTSIDE
security-level 0
ip address 186.67.106.90 255.255.255.248
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
nameif INSIDE
security-level 100
ip address 10.164.58.34 255.255.255.248
!
interface Management0/0
management-only
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list LAN2_LAN1 extended permit ip 10.164.58.32 255.255.255.248 10.164.56.32 255.255.255.248
pager lines 23
mtu OUTSIDE 1500
mtu INSIDE 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
router eigrp 10
neighbor 10.164.58.33 interface INSIDE
network 10.164.58.32 255.255.255.248
!
route OUTSIDE 0.0.0.0 0.0.0.0 186.67.106.89 1
route OUTSIDE 10.164.56.32 255.255.255.248 200.111.55.138 2
route INSIDE 10.164.57.128 255.255.255.128 10.164.58.33 2
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set MY_TRANSFORM_SET esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map MY_CRYPTO_MAP 10 match address LAN2_LAN1
crypto map MY_CRYPTO_MAP 10 set peer 200.111.55.138
crypto map MY_CRYPTO_MAP 10 set ikev1 transform-set MY_TRANSFORM_SET
crypto map MY_CRYPTO_MAP 10 set security-association lifetime seconds 3600
crypto map MY_CRYPTO_MAP interface OUTSIDE