Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1107
Views
0
Helpful
2
Replies

BGP and ASA NAT

mbram1313
Level 1
Level 1

‎04-25-2014 09:31 AM - edited ‎03-11-2019 09:07 PM

Hello Everyone,

 

I have a need to multihome out two MAN links to the same ISP. The two links will connect via an ISR and will participate in an eBGP adjacency. On the internal side, iBGP will be used to create the alternate default route to the ISP. Each of the ISR’s downstream ports participates on the same Ethernet subnet. On the same subnet/broadcast domain, there are two ASA5510 appliances that will use HSRP to advertise the public IPv4 addresses and will NAT them into the private network.

 

My question is, since the ASAs do not participate in BGP, and since we are going to NAT the traffic eliminating the need to use a route map to inject the default route into the downstream EIGRP network, would I simply build a static default route in the ASAs out the upsteam interfaces?  My initial thought is to not worry about recursive lookups because they are connected via Ethernet.

ip route 0.0.0.0 0.0.0.0 fa0/0; and so on.

I’ve attached a simple topology for reference.

BGP_NAT_ASA

Thanks…Matt

 

 

Labels:
0 Helpful
2 Replies 2

Julio Carvajal
VIP Alumni
VIP Alumni

‎04-25-2014 10:36 PM

First of all ASAs do not run HSRP. I think you are talking about failover Active/Active which works completely different so make sure u got that first.

 

I still am not sure about your deployment meaning do not understand what are those L2 switches doing there with the iBGP arrows going to the ASA.

I would say instead of iBGP use EIGRP or OSPF which is actually supported on the ASA, that way you can dynamically switchover whenever needed.

 

 

Regards,

 

Jcarvaja

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

mbram1313
Level 1
Level 1
In response to Julio Carvajal

‎04-26-2014 09:48 AM

Yes Jcarvaja, HSRP is not a feature on the ASAs, and yes HSRP is difficult to setup natively to support active/active load balancing on any device. That's not really the point though is it. FHRP's are typically used for distribution switches and finely tuned to access layer 2 and layer 3 convergence, unless using GLBP (and even then should be considered). My mistake for using the term HSRP and thank you for pointing it out.

 

As for the iBGP links, they represent the same subnet as I mentioned. The cat switches are there to facilitate physical restraints as each pair of ISRs and ASAs are two miles apart. Since the ASA's are performing NAT, they don't really participate in the BGP network and there is no need or capability to inject the BGP default route into the EIGRP network. They will participate in the downstream EIGRP network. If the MAN connection on one ISR goes down, then the iBGP route to the Internet will be graduated. I guess I could have indicated on the drawing that these were all a part of the same subnet. 

 

How do I configure the ASA's static default route? Wouldn't I be able to inject  a static default route in each ASA using the ASA's outside interface when using active/active? If I have to, I could see if we can use EIGRP on the network upstream of the ASAs if there is no other way of doing this, but this is not preferred.

 

Any help you can provide is greatly appreciated. 

 

Thank you...Matt

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card