Solved

Any BGP commands manual for Cisco ASA firewall?

Posted on 2010-11-21
11
1,451 Views
Last Modified: 2012-06-21
This is using Cisco ASA firewall. Recently, there is a requirement to configure for BGP. I just wondering where to get the BGP commands for the above firewall?
0
Comment
Question by:Balack
  • 2
  • 2
  • 2
  • +2
11 Comments
 
LVL 17

Accepted Solution

by:
Kvistofta earned 500 total points
Comment Utility
Cisco ASA cannot do BGP whatsoever. You need to put another device (like a Cisco router) in front of or behind the ASA to talk BGP. There are issues with making the ASA forward BGP-packets but this can be solved with configuration. But the ASA can never talk BGP as a router.

Best regards
Kvistofta
0
 

Author Comment

by:Balack
Comment Utility
You need to put another device (like a Cisco router) in front of or behind the ASA to talk BGP.

Does this means that in order to support BGP, I can put a router in front  OR at the back of ASA? If so, can you share some info on how to make it work, with router put in front?
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
The BGP speaking router goes in front of the ASA.
0
 
LVL 23

Expert Comment

by:Mysidia
Comment Utility
It is true that ASAs cannot implement BGP,  it is a feature Cisco excluded from the ASA,  so you do need a router such as a 1700, 26xx, or 72xx  series router to take care of that for you.

Make sure you choose a router model appropriate for the number of routes it will receive from the ISP, and appropriate for the speed of your network / throughput provided by the link, for example  you need a higher end router if your device will be on the DFZ with copies of the full routing table from several ISPs connected to you,  than if you only take a single default route from one ISP.


If you need to establish a BGP session with an ISP router outside your LAN, design your network, so ther router is on the network connected to the outside interface of the ASA.


Two routers that need to communicate with each other using BGP should be on the same subnet,  there should not be a firewall such as an ASA placed in between routers that need to speak BGP with each other.
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 17

Expert Comment

by:Kvistofta
Comment Utility
There is no need for 2 BGP peers to be on the same subnet. BGP is not like other routing protocols that uses broadcasts/multicasts to find peers and build adjasancies.

Best regards
Kvistofta
0
 
LVL 23

Expert Comment

by:Mysidia
Comment Utility
BGP SHOULD have IP addresses on the same subnet in your case,   that is assuming there is only one router to speak BGP at the current time.

If these are IBGP peers, "SHOULD have IP addresses on the same subnet" changes to a MUST requirement.

2 EBGP peers on separate subnets are possible through EBGP multihop extension, but it is not advisable in these circumstances,
unless your ISP has special requirements and will direct you otherwise, based on anything described.  Specifically,  the BGP speaking router should be on the outside the firewall if the BGP peer router is outside the firewall.


If the existing BGP peer you need to establish a session with is inside the firewall,   then your additional BGP router should be inside the firewall also.


My suggestion that you add an router for BGP and place it  outside the firewall, is based on the assumption the reason you need BGP support is to arrange EBGP session with your ISP(s) to announce  some prefix(es) over a WAN to an upstream internet service provider.

The most common reason one would be looking for BGP support on a firewall.     If  you have other needs, we would need information about those other needs / why you need a firewall/gateway  running BGP,  for us to provide more specific guidance




0
 

Author Comment

by:Balack
Comment Utility
Any sample configuration for the BGP?
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now