Cisco ASA in Transparent Mode and BGP
Hello Experts,
I am moving my isolated lab to a 'managed' facility. My current setup includes a Cisco ASA 5525X in Transparent mode, that has one 'exposed' subnet with a public IP that is connected through DTAP to a provider. All other subnets are internal private, not exposed nor advertised, by design. The interfaces are grouped together in a bridge group, and then multiple bridge groups are configured, one for each network. Bridge group traffic is isolated from other bridge groups; traffic is not routed to another bridge group within the ASA, and traffic must exit the ASA before it is routed by an external router back to another bridge group in the ASA.
The new 'managed' facility's network deployment team is requiring me to enable BGP on my ASA in order to peer with them.
Considering I do not run BGP now, and have no need to advertise routes (or receive advertised outside routes), I disagree with them. I don't think they understand my network design.
My ASA in Transparent mode is basically a Layer 2 firewall that acts like a “bump in the wire,” or a “stealth firewall,” and is not seen as a router hop to connected devices.
Also, I do not have any routers on the 'inside' private subnets, so there will be no router internally for the BGP session to form an adjacency. Please correct me if I'm wrong.
I am basically asking for confirmation from the experts before I pass this higher up the management chain.
Thank you in advance for your expertise!
Jerry
I am moving my isolated lab to a 'managed' facility. My current setup includes a Cisco ASA 5525X in Transparent mode, that has one 'exposed' subnet with a public IP that is connected through DTAP to a provider. All other subnets are internal private, not exposed nor advertised, by design. The interfaces are grouped together in a bridge group, and then multiple bridge groups are configured, one for each network. Bridge group traffic is isolated from other bridge groups; traffic is not routed to another bridge group within the ASA, and traffic must exit the ASA before it is routed by an external router back to another bridge group in the ASA.
The new 'managed' facility's network deployment team is requiring me to enable BGP on my ASA in order to peer with them.
Considering I do not run BGP now, and have no need to advertise routes (or receive advertised outside routes), I disagree with them. I don't think they understand my network design.
My ASA in Transparent mode is basically a Layer 2 firewall that acts like a “bump in the wire,” or a “stealth firewall,” and is not seen as a router hop to connected devices.
Also, I do not have any routers on the 'inside' private subnets, so there will be no router internally for the BGP session to form an adjacency. Please correct me if I'm wrong.
I am basically asking for confirmation from the experts before I pass this higher up the management chain.
Thank you in advance for your expertise!
Jerry
ASKER
Hi Daniel,
Thanks for the response and questions. Sorry I should have been more clear. The exposed subnet connects to an edge router to the internet that we do not own. Our edge is the ASA. There is no other layer 3 device on the exposed subnet.
(I inherited this setup, and the engineers who designed and implemented the network are no longer with the company, so I cant speak to the exact reasoning behind the design.)
The private networks behind the ASA are meant to be completely isolated from any other networks in the company. The ASA connection is facilitating internet access only to some of the private subnets on the backend. The ASA is basically a stealth firewall and not intended to be a network hop.
All internal connections from within our company to these private backend subnets are handled through a separate TMG gateway, which does not route to the internet, only internal networks.
Thanks for the response and questions. Sorry I should have been more clear. The exposed subnet connects to an edge router to the internet that we do not own. Our edge is the ASA. There is no other layer 3 device on the exposed subnet.
(I inherited this setup, and the engineers who designed and implemented the network are no longer with the company, so I cant speak to the exact reasoning behind the design.)
The private networks behind the ASA are meant to be completely isolated from any other networks in the company. The ASA connection is facilitating internet access only to some of the private subnets on the backend. The ASA is basically a stealth firewall and not intended to be a network hop.
All internal connections from within our company to these private backend subnets are handled through a separate TMG gateway, which does not route to the internet, only internal networks.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The ASA is not routing between the public and private. That is being performed by the TMG (Forefront Threat Management Gateway) server, which acts as a proxy server. (as you probably know, TMG is the replacement for ISA server)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Good point. Thank you very much for your advice! This is exactly what I needed to know.
Again, apologies for the ambiguity. As I said, I inherited this lab and its network architecture is definitely not what I am used to.
Cheers!
Jerry
Again, apologies for the ambiguity. As I said, I inherited this lab and its network architecture is definitely not what I am used to.
Cheers!
Jerry
ASKER
Thank you very much for your advice!
why are you running the ASA in a transparent configuration on your edge with private addressing behind it?