I can only make a sigh and this is not a sigh of relief unfortunately.
I tried to change the host route in the SW1 EIGRP statement from 150.1.7.7 
0.0.0.0 to be 150.1.7.0 0.0.0.255
And the ASA ACL from
access-list EIGRP-REDIST standard permit host 150.1.7.7
to
access-list EIGRP-REDIST standard permit 150.1.7.0 255.255.255.0
Still no luck, wondering what's the difference between these two ACE from the 
ASA perspective:

access-list EIGRP-REDIST standard permit 192.10.1.0 255.255.255.0
access-list EIGRP-REDIST standard permit 150.1.7.0 255.255.255.0

It receives both routes from the switch but the route to 192.10.1.0/24 is 
passed to the neighboring EIGRP peer but not 150.1.7.0

My sigh of frustration was mostly caused by what I ran into this morning while 
working with our client.
Their ASA firewalls running 8.2.x. code started rebooting after the upgrade 
when SSH traffic was passing it. The client is power generation utility and for 
them it is VERY critical.
Cisco just bluntly provided them with the bug ID saying that all ASA software 
is affected:

===========================================================
ASA may reload with traceback related to SSH, PING, DHCP, or IPSEC
Symptom:
ASA may reload with a traceback in one of the following thread names:

Thread Name: DATAPATH-x-xxxx (Datapath can have different numbers here)
Thread Name: DHCP Client
Thread Name: SSH

Conditions:
Affects all ASA platforms.

Workaround:
None

ASA 8.4.3.5 traceback async_lock_global_work_queue_service
Symptom: ASA running 8.4.3.9 crashes Conditions: Still under investigation 
Workaround: None

 ASA 5505 8.4(3)9 traceback with traceback Thread Name: DHCP Client
Symptom: ASA crashed with traceback in Thread Name: DHCP Client Conditions: ASA 
8.4(3)9 Workaround: None

 ASA 8.0.5 Traceback in dispatch unit
Symptom: ASA may reload and produce a crash. Conditions: First seen on ASA 
8.0.5.27
================================================================



From: Matt Manire [mailto:[email protected]]
Sent: Tuesday, June 19, 2012 7:45 AM
To: Eugene Pefti; ccie security
Subject: RE: [OSL | CCIE_Security] EIGRP distribute-list on ASA

Eugene,

It may be a bug in the ASA code.  I ran into the same issue in my test lab and 
I seem to recall this being a known bug.  I am running version 8.0(4)32 on an 
old PIX.

Thanks,

Matt Manire
CCSP, CCNP, CCDP, MCSE 2003 & MCSE 2000
Information Systems Security Manager
[email protected]<mailto:[email protected]>
t: 817.525.1863
f: 817.525.1903
m: 817.271.9165
First Rate | 1903 Ascension Boulevard | Arlington, TX 76006| 
www.FirstRate.com<http://www.firstrate.com/>


From: 
[email protected]<mailto:[email protected]>
 
[mailto:[email protected]<mailto:[email protected]>]
 On Behalf Of Eugene Pefti
Sent: Monday, June 18, 2012 10:13 PM
To: ccie security
Subject: [OSL | CCIE_Security] EIGRP distribute-list on ASA

Guys,
What's wrong with my distribute-list that I'm trying to setup on the ASA to 
allow only routes 192.10.1.0/24<http://192.10.1.0/24> and 150.1.7.7 to send to 
R4 ?

The topology is as follows:

BB2---(192.10.1.0)--------SW1 ------------- 
(EIGRP)--------ASA--------(EIGRP)---------R4
                                      (loopback-150.1.7.7)


I create an ACL on the ASA to include the above said networks to be included in 
EIGRP updates:

access-list EIGRP-REDIST standard permit host 150.1.7.7
access-list EIGRP-REDIST standard permit 192.10.1.0 255.255.255.0

and instruct it to send an update to R4 on its OUT interface

router eigrp 100
  distribute-list EIGRP-REDIST out interface OUT
  network 163.1.124.0 255.255.255.0
  network 163.1.127.0 255.255.255.0

Then I verify routes on R4 and see that there's route to 
192.10.1.0/24<http://192.10.1.0/24> network but no route to 150.1.7.7
Removing the distribute-list restores the route to SW1 loopback on R4.

Eugene

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to