Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1505
  • Last Modified:

Any BGP commands manual for Cisco ASA firewall?

This is using Cisco ASA firewall. Recently, there is a requirement to configure for BGP. I just wondering where to get the BGP commands for the above firewall?
0
Balack
Asked:
Balack
  • 2
  • 2
  • 2
  • +2
1 Solution
 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
Cisco ASA cannot do BGP whatsoever. You need to put another device (like a Cisco router) in front of or behind the ASA to talk BGP. There are issues with making the ASA forward BGP-packets but this can be solved with configuration. But the ASA can never talk BGP as a router.

Best regards
Kvistofta
0
 
BalackAuthor Commented:
You need to put another device (like a Cisco router) in front of or behind the ASA to talk BGP.

Does this means that in order to support BGP, I can put a router in front  OR at the back of ASA? If so, can you share some info on how to make it work, with router put in front?
0
 
Jan SpringerCommented:
The BGP speaking router goes in front of the ASA.
0
The Growing Need for Data Analysts

As the amount of data rapidly increases in our world, so does the need for qualified data analysts. WGU's MS in Data Analytics and maximize your leadership opportunities as a data engineer, business analyst, information research scientist, and more.

 
MysidiaCommented:
It is true that ASAs cannot implement BGP,  it is a feature Cisco excluded from the ASA,  so you do need a router such as a 1700, 26xx, or 72xx  series router to take care of that for you.

Make sure you choose a router model appropriate for the number of routes it will receive from the ISP, and appropriate for the speed of your network / throughput provided by the link, for example  you need a higher end router if your device will be on the DFZ with copies of the full routing table from several ISPs connected to you,  than if you only take a single default route from one ISP.


If you need to establish a BGP session with an ISP router outside your LAN, design your network, so ther router is on the network connected to the outside interface of the ASA.


Two routers that need to communicate with each other using BGP should be on the same subnet,  there should not be a firewall such as an ASA placed in between routers that need to speak BGP with each other.
0
 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
There is no need for 2 BGP peers to be on the same subnet. BGP is not like other routing protocols that uses broadcasts/multicasts to find peers and build adjasancies.

Best regards
Kvistofta
0
 
MysidiaCommented:
BGP SHOULD have IP addresses on the same subnet in your case,   that is assuming there is only one router to speak BGP at the current time.

If these are IBGP peers, "SHOULD have IP addresses on the same subnet" changes to a MUST requirement.

2 EBGP peers on separate subnets are possible through EBGP multihop extension, but it is not advisable in these circumstances,
unless your ISP has special requirements and will direct you otherwise, based on anything described.  Specifically,  the BGP speaking router should be on the outside the firewall if the BGP peer router is outside the firewall.


If the existing BGP peer you need to establish a session with is inside the firewall,   then your additional BGP router should be inside the firewall also.


My suggestion that you add an router for BGP and place it  outside the firewall, is based on the assumption the reason you need BGP support is to arrange EBGP session with your ISP(s) to announce  some prefix(es) over a WAN to an upstream internet service provider.

The most common reason one would be looking for BGP support on a firewall.     If  you have other needs, we would need information about those other needs / why you need a firewall/gateway  running BGP,  for us to provide more specific guidance




0
 
BalackAuthor Commented:
Any sample configuration for the BGP?
0
 
digitapCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

  • 2
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now