Hi,

If yes, the static route on R1 and R2 is correct but advertising this network from R1 and R2 through bgp isn't correct.
can you explain please ?

I have removed most of the configuration part   .I hope the below configuration part is enough .



ASA route

route Outside 0.0.0.0 0.0.0.0 1.1.1.1  (1.1.1.1 Hsrp standby ip which is configured on the router )
route Inside 10.0.0.0 255.255.0.0 172.16.3.1 1
route Outside 2.2.2.0 255.255.255.0 1.1.1.1 1 (second subnet )
route Inside 192.168.0.0 255.255.0.0 172.16.3.1 1

interface Gi0/9
 nameif Inside
 security-level 100
 ip address 172.16.3.5 255.255.255.0 standby 172.16.3.6

interface GigabitEthernet0/1
 nameif Outside
 security-level 0
 ip address 1.1.1.4 255.255.255.0


object network obj-192.168.2.10
 nat (Inside,Outside) static 2.2.2.100

access-list Outside_in extended  permit object-group O-HTTPS-HTTP any object obj-192.168.2.10

Thanks

Hi,



This is in production network .

So I have sanitized the configuration .

It would be great 

If you tell me  which part of configuration required  from asa and routers .

And you said "When i said it is not correct, I mean why you would advertise a subnet from R1 when it belongs to ASA and R1 has a static route to it.
If you want to do it through bgp, then you would advertise it from asa and remove static route on R1 and R2."

What about the  1.1.1.0 network asa outside and router interface which is connected to asa outside .

Thanks

I just summarized routing part of all asa and both routers below



ASA route

route Outside 0.0.0.0 0.0.0.0 1.1.1.1 (1.1.1.1 Hsrp standby ip which is configured on the router )
route Inside 10.0.0.0 255.255.0.0 172.16.3.1 1
route Outside 2.2.2.0 255.255.255.0 1.1.1.1 1 (second subnet )
route Inside 192.168.0.0 255.255.0.0 172.16.3.1 1




R1

interface gi0/1
ip address 4.4.4.2 255.255.255.252 -connected to isp router 1


interface GigabitEthernet0/2
ip address 1.1.1.2 255.255.255.0 (connected to sw1 from switch to asa1 outside interface )

ip route 2.2.2.0 255.255.255.0 GigabitEthernet0/2
!


router bgp 60000

network 1.1.1.0 mask 255.255.255.0 (ROUEER INTERFACE AND ASA OUTSIDE INTERFACE ARE IN THIS SUBNET)
network 2.2.2.0 mask 255.255.255.0 (This is additional subnet )
neighbor 4.4.4.4 remote-as 52578
neighbor 4.4.4.4 ttl-security hops 1
neighbor 4.4.4.4 timers 5 20 20



R2

interface gi0/1
ip address 4.4.4.5 255.255.255.252 -connected to isp router 2


interface GigabitEthernet0/2
ip address 1.1.1.3 255.255.255.0 (connected to sw2 from switch to asa2 outside interface )

ip route 2.2.2.0 255.255.255.0 GigabitEthernet0/2
!


router bgp 60000

network 1.1.1.0 mask 255.255.255.0 (ROUEER INTERFACE AND ASA OUTSIDE INTERFACE ARE IN THIS SUBNET)
network 2.2.2.0 mask 255.255.255.0 (This is additional subnet )
neighbor 4.4.4.4 remote-as 52578
neighbor 4.4.4.4 ttl-security hops 1
neighbor 4.4.4.4 timers 5 20 20

Thanks a lot 

Hi,

"For example, if 1.1.1.0/24 is used on R1, R2 and ASA, you can advertise this subnet in bgp from all 3 services using network command. 
On ASA you'll need to advertise 2.2.2.0/24 as it belongs to ASA NAT statements. "

1.1.1.0 is used in R1,R2,and ASA and also for ASA NAT ,

2.2.2.0 is only for NAT .

"But again, as you're using static routes on R1 and R2 to reach this subnet, you don't need to advertise it in bgp unless you have a specific reason to do so. "

If I am not advertising , how  can a host which resides in internet can reach the  2.2.2.0/24 network .

If I just remove "route Outside 2.2.2.0 255.255.255.0 1.1.1.1 1 (second subnet ) " 

and keep "route Outside 0.0.0.0 0.0.0.0 1.1.1.1 (1.1.1.1 Hsrp standby ip which is configured on the router ) " this alone  , does it help ? 

route Outside 0.0.0.0 0.0.0.0 1.1.1.1 (1.1.1.1 Hsrp standby ip which is configured on the router ) 
route Inside 10.0.0.0 255.255.0.0 172.16.3.1 1
route Outside 2.2.2.0 255.255.255.0 1.1.1.1 1 (second subnet ) 

Thanks

Let's remove that route outside 2.2.2.0 that is useless for now.

Can you do a show ip bgp 2.2.2.0 and show ip route 2.2.2.0 on R1 and R2?

Can you try to ping 2.2.2.0 from R1 and R2 sourcing with interface facing ASA? Do the same test but sourcing with WAN interface.

Hi,

here is the sh ip bgp 

---------------------------------------------------------
R1#
R1#sh ip bgp 2.2.2.0
BGP routing table entry for 2.2.2.0/24, version 11261
Paths: (1 available, best #1, table default)
Advertised to update-groups:
5
Refresh Epoch 1
Local
0.0.0.0 from 0.0.0.0 (4.4.4.2) 4.4.4.2 is the interface ip which is connected to isp
Origin IGP, metric 0, localpref 100, weight 32768, valid, sourced, local, best
rx pathid: 0, tx pathid: 0x0
R1#
R1#
R1#
----------------------------------------
R2
neighbor 4.4.4.9 remote-as X2X7X

R2 #sh ip bgp 2.2.2.0
BGP routing table entry for 0.0.0.0/0, version 2
Paths: (1 available, best #1, table default)
Not advertised to any peer
Refresh Epoch 1
X2X7X Y4Y1
4.4.4.9 from 4.4.4.9 (9.9.9.9) 4.4.4.9 is the interface ip which is connected to isp
Origin IGP, localpref 100, valid, external, best
rx pathid: 0, tx pathid: 0x0

I could not do the ping since Icmp were not permitted on the asa 

Sorry for that 

Thanks

Hi,

Also to avoid any issues, in your design, you have a static route on each routers going to ASA to reach subnet 2.2.2.0/24, and you don't want to learn this subnet from any BGP peer. To achieve that, you can use the following sample config:



Sorry I did not get your point .

Can you validate that the forwarding path is your ASA and not ISP?

Yes its to asa  

 

sh ip route 2,2.2.2
Routing entry for 2.2.2.2
Known via "static", distance 1, metric 0 (connected)
Advertised by bgp 60000
Routing Descriptor Blocks:
* directly connected, via GigabitEthernet0/2
Route metric is 0, traffic share count is 1

Can you describe the bgp  (Sh ip bgp 2.2.2.0 )output provided

What If I Want to load balance between these two routers .(ASa is active standby )

Thanks

What I meant is R1 and R2 has a static route to 2.2.2.0/24. You're advertising this subnet on the Internet and that's fine. However, You don't want to learn this subnet back through BGP on R1 and R2 because the static route will always take precedence. That's why I'm saying you can filtrer inbound on R1 and R2 to not learn that subnet. Is that clear?

Regarding your BGP output:

ON R1:

- it shows that the subnet 2.2.2.0/24 on BGP is a local route. You can see this by checking the weight for example. If you don't modify anything, a learned route will have a weight of 0 and locally originated route will have a weight of 32768. This BGP attribute is local to the router to make its routing decision. The higher the weight is, the higher is route preferred.

- You can also see in the output 0.0.0.0 which means that is a local originated route

ON R2:

- The subnet 2.2.2.0/24 learned over BGP has been advertised by the BGP peer with IP address 4.4.4.9, which has also the RID 9.9.9.9

However you can see the difference with R1 where it officially didn't learn the subnet 2.2.2.0/24 and goes through the default route:

R2 #sh ip bgp 2.2.2.0
BGP routing table entry for 0.0.0.0/0, version 2

If you do a sh ip bgp 2.2.2.0/24 on R2 it should says % Network not in table

This is normal as you have the same AS BGP on R1 and R2. Peering is done between R1 and ISP, and between R2 and ISP. When ISP sends the update to R2, R2 sees its own AS in the AS-PATH attribute and the loop prevention mechanism in eBGP is dropping that subnet.

However, as you have a static route for this subnet and advertising it, it should show the same output as R1. But before, apply the route-map to deny inbound this subnet to be learned in BGP from their neighbor.

If you share all your config in a text file for your devices, I would be able to reproduce your issue in LAB and come with a config update. 

Hi ,

I have attached the configuration and topology