Solved

Any BGP commands manual for Cisco ASA firewall?

Posted on 2010-11-21
11
1,465 Views
Last Modified: 2012-06-21
This is using Cisco ASA firewall. Recently, there is a requirement to configure for BGP. I just wondering where to get the BGP commands for the above firewall?
0
Comment
Question by:Balack
  • 2
  • 2
  • 2
  • +2
11 Comments
 
LVL 17

Accepted Solution

by:
Kvistofta earned 500 total points
ID: 34186289
Cisco ASA cannot do BGP whatsoever. You need to put another device (like a Cisco router) in front of or behind the ASA to talk BGP. There are issues with making the ASA forward BGP-packets but this can be solved with configuration. But the ASA can never talk BGP as a router.

Best regards
Kvistofta
0
 

Author Comment

by:Balack
ID: 34186602
You need to put another device (like a Cisco router) in front of or behind the ASA to talk BGP.

Does this means that in order to support BGP, I can put a router in front  OR at the back of ASA? If so, can you share some info on how to make it work, with router put in front?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 34209219
The BGP speaking router goes in front of the ASA.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 23

Expert Comment

by:Mysidia
ID: 34210692
It is true that ASAs cannot implement BGP,  it is a feature Cisco excluded from the ASA,  so you do need a router such as a 1700, 26xx, or 72xx  series router to take care of that for you.

Make sure you choose a router model appropriate for the number of routes it will receive from the ISP, and appropriate for the speed of your network / throughput provided by the link, for example  you need a higher end router if your device will be on the DFZ with copies of the full routing table from several ISPs connected to you,  than if you only take a single default route from one ISP.


If you need to establish a BGP session with an ISP router outside your LAN, design your network, so ther router is on the network connected to the outside interface of the ASA.


Two routers that need to communicate with each other using BGP should be on the same subnet,  there should not be a firewall such as an ASA placed in between routers that need to speak BGP with each other.
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 34210838
There is no need for 2 BGP peers to be on the same subnet. BGP is not like other routing protocols that uses broadcasts/multicasts to find peers and build adjasancies.

Best regards
Kvistofta
0
 
LVL 23

Expert Comment

by:Mysidia
ID: 34221435
BGP SHOULD have IP addresses on the same subnet in your case,   that is assuming there is only one router to speak BGP at the current time.

If these are IBGP peers, "SHOULD have IP addresses on the same subnet" changes to a MUST requirement.

2 EBGP peers on separate subnets are possible through EBGP multihop extension, but it is not advisable in these circumstances,
unless your ISP has special requirements and will direct you otherwise, based on anything described.  Specifically,  the BGP speaking router should be on the outside the firewall if the BGP peer router is outside the firewall.


If the existing BGP peer you need to establish a session with is inside the firewall,   then your additional BGP router should be inside the firewall also.


My suggestion that you add an router for BGP and place it  outside the firewall, is based on the assumption the reason you need BGP support is to arrange EBGP session with your ISP(s) to announce  some prefix(es) over a WAN to an upstream internet service provider.

The most common reason one would be looking for BGP support on a firewall.     If  you have other needs, we would need information about those other needs / why you need a firewall/gateway  running BGP,  for us to provide more specific guidance




0
 

Author Comment

by:Balack
ID: 34288201
Any sample configuration for the BGP?
0
 
LVL 33

Expert Comment

by:digitap
ID: 34459677
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question