Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1495
Views
0
Helpful
1
Replies

BGP on ASA with two ASNs and "remove-private-as" not working

SupportEngJohn
Level 1
Level 1

‎01-28-2020 02:27 PM

 

Hello, 

ASARouterBGPtopology.PNG

Hello, we have a topology similar to above. The ASA has a private AS of 65001, and is using the local-as 2322 and and remove-private-as BGP parameters, but the router is still seeing the private AS, 65001 when you type show BGP. Is there a command we're omitting, or is this how it's supposed to behave?

 

Below is relative output from each:

prefix-list MLB-Extern seq 5 permit 12.32.30.128/25 le 32
!
prefix-list MLB-Routes seq 5 permit 10.10.4.0/24 le 32
prefix-list MLB-Routes seq 10 permit 10.10.7.0/24 le 32
prefix-list MLB-Routes seq 15 permit 10.10.14.0/24 le 32

route-map MLBBGPMAP permit 5
match ip address prefix-list MLB-Extern


ASA# sh run router bgp
router bgp 65001
bgp log-neighbor-changes
bgp graceful-restart
address-family ipv4 unicast
neighbor 14.27.21.57 remote-as 2323
neighbor 14.27.21.57 local-as 2322
neighbor 14.27.21.57 activate
neighbor 14.27.21.57 remove-private-as
neighbor 14.27.21.57 route-map MLBBGPMAP out
network 14.27.21.56 mask 255.255.255.248
network 12.32.30.128 mask 255.255.255.128
redistribute static route-map MLBBGPMAP
no auto-summary
no synchronization
exit-address-family

Router#sh run | b router bgp
router bgp 2323
bgp log-neighbor-changes
network 14.27.21.56 mask 255.255.255.248
redistribute static
neighbor 14.27.21.59 remote-as 2322

Router#show bgp
BGP table version is 15, local router ID is 14.27.21.57
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path
*> 12.32.30.128/25
                               14.27.21.59 0 0 2322 65001 i
*> 14.27.21.56/29 0.0.0.0 0 32768 i

 

 

 

Labels:
0 Helpful
1 Reply 1

Muhammad Awais Khan
Cisco Employee
Cisco Employee

‎01-28-2020 02:53 PM

Hi,

 

Below are the conditions applied when you want "remove-private-as" when peering with BGP neighbor:

  • You can only use this solution with external BGP (eBGP) peers.

  • If the update has only private AS numbers in the AS_PATH, BGP removes these numbers.

  • If the AS_PATH includes both private and public AS numbers, BGP doesn't remove the private AS numbers. This situation is considered a configuration error.

  • If the AS_PATH contains the AS number of the eBGP neighbor, BGP does not remove the private AS number.

 

In your configuration, i find that you are using local-as statement on your FW when neighboring with Router. which makes ASA pretends to be a iBGP. I beleive you need to remove "local-as" statement on the ASA and on the Router side change the neighbor AS from 2322 to 65001, I hope it will fix your issue

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card