Re: BGP thru ASA vs. Transparent Mode deployment

lcaruso · ‎03-09-2013

Hi,

I've been asked to deploy an ASA in Transparent Mode because of concerns of putting another layer 3 hop between PE and CE routers running BGP.

Is there some problem with allowing BGP to flow freely through an ASA the is also terminating site to site and remote access vpn tunnels?

I just don't see the need for Transparent Mode here and you cannot have a standard DMZ setup with Transparent Mode: you have to use bridge groups to provide for multiple interfaces on the ASA and then have an external router route between those bridge groups. Yuk.

If anyone can tell me what I'm missing here as to why Transparent Mode is needed (not needed), I'd sure appreciate it.

ASA is 5512X running 9.1(1)

Thanks.

Jouni Forss · ‎03-09-2013

Hi,

In an effort to get some discussion going (even though you just posted ) I'm just going to post some thoughts/questions.

I'm not personally dealing much with routing scenarios other than very basic OSPF and BGP setups.

However, I have never had any firewall implemented between to BGP neighbors and to be honest I probably never will. I just have never seen it done in such a way.

I do see documentation that you have to open port TCP/179 on both directions. From both peer to the other to enable the establishment of routing between the peers. (Whichever peer might happen to open the connection)

In your situation I am wondering what exactly is the firewall protecting? Why does it need to be in the middle of the PE and CE? Is it specifically meant to protect the router? I imagine the router should have the possibilities to secure its own operation too.

And there should be other "on the wire" devices which are specifically meant to protect other networking devices from any malicious activity and you could use the actual firewall to protect the boundary of your LAN network.

You have probably seen this already but here is some document about PIX / ASA and running BGP through it.

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a008009487d.shtml

- Jouni

lcaruso · ‎03-09-2013

Hi,

Thanks for your reply. The ASA is protecting several remote sites as well as the local site that all get their Internet (and servers) through a provider at the head end site. It's between the middle of the PE and the CE because that's this company's public presence on the Internet. Eveything else is behind it and/or on private wan facilities. Not my design. I'm asked to do the configuration.

I just have never seen it done in such a way.

Yes, but there is a Cisco document that describes how to do just that, so somebody must be doing it, and the demand for the knowledge was high enough that Cisco created the document.

How well it works, I just don't know. That's what I'm trying to find out.

lcaruso · ‎03-09-2013

Here's another link for the BGP pass through setup

https://supportforums.cisco.com/docs/DOC-21347

david.tran · ‎03-09-2013

JouniForss wrote:

I do see documentation that you have to open port TCP/179 on both directions. From both peer to the other to enable the establishment of routing between the peers. (Whichever peer might happen to open the connection)

- Jouni

This is "not" true. If you do this in the CCIE security lab, you will fail

As long as the routing is in place in the ASA, BGP will come up and the router on the inside interface of the ASA will establish BGP session with the router on the outside of the ASA. remember by default, inside interface security interface level is 100 and outside interface security level is 0. Therefore, the router on inside interface will establish BGP with the router on the outside and the return traffics will be allowed. Yes, it may take longer for BGP to come up but it will work.

Now if you're talking about BGP with md5 authentication across the ASA, you will need to disable tcp random sequence or BGP with MD5 authentication will not work.