juniper netscreen with loopback interface to Cisco ASA

christianstp1 · ‎09-18-2018

Hello,

We are migrating a juniper netscreen to a Cisco ASA. The firewall is running BGP with the upstream routers. The netscreen has a loopback interface created with subnets that are used for nating. The loop back is created to inject the nat networks into BGP.

My question is how do you achieve this on a Cisco since it does not support loopback interfaces?

1 - use null routes? We found one article that suggested creating NULL routes for the natblocks and that will allow the subnets to be injected into BGP. But we tried that in the lab and having weird results. Not sure if its our config or if using the NULL routes is a bad idea.

2 - Static route on the router? Even though we are running bgp between router and fw.. can I add a static route as well from router to the fw?

3 - any other thoughts?

Thanks.

Mohammed al Baqari · ‎09-18-2018

Null routes should work. What issues are you facing with it. ? Static
routes might create issues with proxy arp but null routes should be safe to
use

julomban1 · ‎09-18-2018

Everything inbound doesn't seem to be working... We can see on the router's routing table the route been learned via the firewall so we know bgp is advertising the route correctly, however, we can't pass traffic.

Unfortunately, our MX window was over and we had to rollback before troubleshooting further... We are thinking about static routes as a second workaround... Proxy ARP issue should be fixed by having the "arp permit-nonconnected" command, don't you think?

Thanks,

Juan Lombana