Solved

Any BGP commands manual for Cisco ASA firewall?

Posted on 2010-11-21
11
1,483 Views
Last Modified: 2012-06-21
This is using Cisco ASA firewall. Recently, there is a requirement to configure for BGP. I just wondering where to get the BGP commands for the above firewall?
0
Comment
Question by:Balack
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +2
11 Comments
 
LVL 17

Accepted Solution

by:
Kvistofta earned 500 total points
ID: 34186289
Cisco ASA cannot do BGP whatsoever. You need to put another device (like a Cisco router) in front of or behind the ASA to talk BGP. There are issues with making the ASA forward BGP-packets but this can be solved with configuration. But the ASA can never talk BGP as a router.

Best regards
Kvistofta
0
 

Author Comment

by:Balack
ID: 34186602
You need to put another device (like a Cisco router) in front of or behind the ASA to talk BGP.

Does this means that in order to support BGP, I can put a router in front  OR at the back of ASA? If so, can you share some info on how to make it work, with router put in front?
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 34209219
The BGP speaking router goes in front of the ASA.
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 23

Expert Comment

by:Mysidia
ID: 34210692
It is true that ASAs cannot implement BGP,  it is a feature Cisco excluded from the ASA,  so you do need a router such as a 1700, 26xx, or 72xx  series router to take care of that for you.

Make sure you choose a router model appropriate for the number of routes it will receive from the ISP, and appropriate for the speed of your network / throughput provided by the link, for example  you need a higher end router if your device will be on the DFZ with copies of the full routing table from several ISPs connected to you,  than if you only take a single default route from one ISP.


If you need to establish a BGP session with an ISP router outside your LAN, design your network, so ther router is on the network connected to the outside interface of the ASA.


Two routers that need to communicate with each other using BGP should be on the same subnet,  there should not be a firewall such as an ASA placed in between routers that need to speak BGP with each other.
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 34210838
There is no need for 2 BGP peers to be on the same subnet. BGP is not like other routing protocols that uses broadcasts/multicasts to find peers and build adjasancies.

Best regards
Kvistofta
0
 
LVL 23

Expert Comment

by:Mysidia
ID: 34221435
BGP SHOULD have IP addresses on the same subnet in your case,   that is assuming there is only one router to speak BGP at the current time.

If these are IBGP peers, "SHOULD have IP addresses on the same subnet" changes to a MUST requirement.

2 EBGP peers on separate subnets are possible through EBGP multihop extension, but it is not advisable in these circumstances,
unless your ISP has special requirements and will direct you otherwise, based on anything described.  Specifically,  the BGP speaking router should be on the outside the firewall if the BGP peer router is outside the firewall.


If the existing BGP peer you need to establish a session with is inside the firewall,   then your additional BGP router should be inside the firewall also.


My suggestion that you add an router for BGP and place it  outside the firewall, is based on the assumption the reason you need BGP support is to arrange EBGP session with your ISP(s) to announce  some prefix(es) over a WAN to an upstream internet service provider.

The most common reason one would be looking for BGP support on a firewall.     If  you have other needs, we would need information about those other needs / why you need a firewall/gateway  running BGP,  for us to provide more specific guidance




0
 

Author Comment

by:Balack
ID: 34288201
Any sample configuration for the BGP?
0
 
LVL 33

Expert Comment

by:digitap
ID: 34459677
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Retailers - Is your network secure?

With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question