I can only make a sigh and this is not a sigh of relief unfortunately. I tried to change the host route in the SW1 EIGRP statement from 150.1.7.7 0.0.0.0 to be 150.1.7.0 0.0.0.255 And the ASA ACL from access-list EIGRP-REDIST standard permit host 150.1.7.7 to access-list EIGRP-REDIST standard permit 150.1.7.0 255.255.255.0 Still no luck, wondering what's the difference between these two ACE from the ASA perspective:
access-list EIGRP-REDIST standard permit 192.10.1.0 255.255.255.0 access-list EIGRP-REDIST standard permit 150.1.7.0 255.255.255.0 It receives both routes from the switch but the route to 192.10.1.0/24 is passed to the neighboring EIGRP peer but not 150.1.7.0 My sigh of frustration was mostly caused by what I ran into this morning while working with our client. Their ASA firewalls running 8.2.x. code started rebooting after the upgrade when SSH traffic was passing it. The client is power generation utility and for them it is VERY critical. Cisco just bluntly provided them with the bug ID saying that all ASA software is affected: =========================================================== ASA may reload with traceback related to SSH, PING, DHCP, or IPSEC Symptom: ASA may reload with a traceback in one of the following thread names: Thread Name: DATAPATH-x-xxxx (Datapath can have different numbers here) Thread Name: DHCP Client Thread Name: SSH Conditions: Affects all ASA platforms. Workaround: None ASA 8.4.3.5 traceback async_lock_global_work_queue_service Symptom: ASA running 8.4.3.9 crashes Conditions: Still under investigation Workaround: None ASA 5505 8.4(3)9 traceback with traceback Thread Name: DHCP Client Symptom: ASA crashed with traceback in Thread Name: DHCP Client Conditions: ASA 8.4(3)9 Workaround: None ASA 8.0.5 Traceback in dispatch unit Symptom: ASA may reload and produce a crash. Conditions: First seen on ASA 8.0.5.27 ================================================================ From: Matt Manire [mailto:[email protected]] Sent: Tuesday, June 19, 2012 7:45 AM To: Eugene Pefti; ccie security Subject: RE: [OSL | CCIE_Security] EIGRP distribute-list on ASA Eugene, It may be a bug in the ASA code. I ran into the same issue in my test lab and I seem to recall this being a known bug. I am running version 8.0(4)32 on an old PIX. Thanks, Matt Manire CCSP, CCNP, CCDP, MCSE 2003 & MCSE 2000 Information Systems Security Manager [email protected]<mailto:[email protected]> t: 817.525.1863 f: 817.525.1903 m: 817.271.9165 First Rate | 1903 Ascension Boulevard | Arlington, TX 76006| www.FirstRate.com<http://www.firstrate.com/> From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Eugene Pefti Sent: Monday, June 18, 2012 10:13 PM To: ccie security Subject: [OSL | CCIE_Security] EIGRP distribute-list on ASA Guys, What's wrong with my distribute-list that I'm trying to setup on the ASA to allow only routes 192.10.1.0/24<http://192.10.1.0/24> and 150.1.7.7 to send to R4 ? The topology is as follows: BB2---(192.10.1.0)--------SW1 ------------- (EIGRP)--------ASA--------(EIGRP)---------R4 (loopback-150.1.7.7) I create an ACL on the ASA to include the above said networks to be included in EIGRP updates: access-list EIGRP-REDIST standard permit host 150.1.7.7 access-list EIGRP-REDIST standard permit 192.10.1.0 255.255.255.0 and instruct it to send an update to R4 on its OUT interface router eigrp 100 distribute-list EIGRP-REDIST out interface OUT network 163.1.124.0 255.255.255.0 network 163.1.127.0 255.255.255.0 Then I verify routes on R4 and see that there's route to 192.10.1.0/24<http://192.10.1.0/24> network but no route to 150.1.7.7 Removing the distribute-list restores the route to SW1 loopback on R4. Eugene
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
