Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Any BGP commands manual for Cisco ASA firewall?

Posted on 2010-11-21
11
Medium Priority
?
1,499 Views
Last Modified: 2012-06-21
This is using Cisco ASA firewall. Recently, there is a requirement to configure for BGP. I just wondering where to get the BGP commands for the above firewall?
0
Comment
Question by:Balack
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +2
11 Comments
 
LVL 17

Accepted Solution

by:
Kvistofta earned 2000 total points
ID: 34186289
Cisco ASA cannot do BGP whatsoever. You need to put another device (like a Cisco router) in front of or behind the ASA to talk BGP. There are issues with making the ASA forward BGP-packets but this can be solved with configuration. But the ASA can never talk BGP as a router.

Best regards
Kvistofta
0
 

Author Comment

by:Balack
ID: 34186602
You need to put another device (like a Cisco router) in front of or behind the ASA to talk BGP.

Does this means that in order to support BGP, I can put a router in front  OR at the back of ASA? If so, can you share some info on how to make it work, with router put in front?
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 34209219
The BGP speaking router goes in front of the ASA.
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 23

Expert Comment

by:Mysidia
ID: 34210692
It is true that ASAs cannot implement BGP,  it is a feature Cisco excluded from the ASA,  so you do need a router such as a 1700, 26xx, or 72xx  series router to take care of that for you.

Make sure you choose a router model appropriate for the number of routes it will receive from the ISP, and appropriate for the speed of your network / throughput provided by the link, for example  you need a higher end router if your device will be on the DFZ with copies of the full routing table from several ISPs connected to you,  than if you only take a single default route from one ISP.


If you need to establish a BGP session with an ISP router outside your LAN, design your network, so ther router is on the network connected to the outside interface of the ASA.


Two routers that need to communicate with each other using BGP should be on the same subnet,  there should not be a firewall such as an ASA placed in between routers that need to speak BGP with each other.
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 34210838
There is no need for 2 BGP peers to be on the same subnet. BGP is not like other routing protocols that uses broadcasts/multicasts to find peers and build adjasancies.

Best regards
Kvistofta
0
 
LVL 23

Expert Comment

by:Mysidia
ID: 34221435
BGP SHOULD have IP addresses on the same subnet in your case,   that is assuming there is only one router to speak BGP at the current time.

If these are IBGP peers, "SHOULD have IP addresses on the same subnet" changes to a MUST requirement.

2 EBGP peers on separate subnets are possible through EBGP multihop extension, but it is not advisable in these circumstances,
unless your ISP has special requirements and will direct you otherwise, based on anything described.  Specifically,  the BGP speaking router should be on the outside the firewall if the BGP peer router is outside the firewall.


If the existing BGP peer you need to establish a session with is inside the firewall,   then your additional BGP router should be inside the firewall also.


My suggestion that you add an router for BGP and place it  outside the firewall, is based on the assumption the reason you need BGP support is to arrange EBGP session with your ISP(s) to announce  some prefix(es) over a WAN to an upstream internet service provider.

The most common reason one would be looking for BGP support on a firewall.     If  you have other needs, we would need information about those other needs / why you need a firewall/gateway  running BGP,  for us to provide more specific guidance




0
 

Author Comment

by:Balack
ID: 34288201
Any sample configuration for the BGP?
0
 
LVL 33

Expert Comment

by:digitap
ID: 34459677
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Understanding Web Applications

Without even knowing it, most of us are using web applications on a daily basis. Gmail and Yahoo email, Twitter, Facebook, and eBay are used by most of us daily—and they are web applications. We often confuse these web applications tools for websites.  So, what is the difference?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
This program is used to assist in finding and resolving common problems with wireless connections.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question