Routed VPN via BGP

EddyFonseca3815 · ‎06-05-2023

Hello All

I am working on a LAB/Pilot to Create a Ipsec tunnel to vendor over bgp using the Tunnel1 connection. I have create the tunnel and have the IPsec up and working. Examples are connection to Cloud connection but I want to hid my internal IP from vendor thru the tunnel and I will provide a NAT to this vendor. So my configuration I will Nat 190.130.1.0/24 Public IP inside the IPsec tunnel so when I nat host 10.10.1.1 to 190.130.1.1 and the vendor will only see 190.130.1.1 in the ipsec tunnel.

I have routed the 190.130.1.0 255.255.255.0 to Null0 on the ASA so I can have this IP range in the IP table but that did not work since the vendor could not see the 190.130.1.1. I have to route the host 190.130.1.1 to null0 and he was able to see it but If I do this for all 254 IP that is a lot of route command I have to do on the ASA. I would like to know if there is an easy way to adv a host into bgp with out adding a route command for each host.

Note I use a route-map to filter out the traffic to the vendor and will use the same inbound traffic.

route Null0 190.130.1.0 255.255.255.0 !! adds the route into the ASA route table for BGP

*> 110.12.7.0/24 0.0.0.0 0 32768 ?
*> 170.220.68.0/24 0.0.0.0 0 32768 ?
*> 190.130.1.0/24 0.0.0.0 0 32768 ?

after I added the host into the route command

route Null0 190.130.1.1 255.255.255.255 !! adds the route into the ASA route table for BGP
*> 110.12.7.0/24 0.0.0.0 0 32768 ?
*> 170.220.68.0/24 0.0.0.0 0 32768 ?
*> 190.130.1.0/24 0.0.0.0 0 32768 ?

*> 190.130.1.1/32
0.0.0.0 0 32768 ?

Once I added the host into the route command I was able to see the ip address on the vendor side.

let me know if you can direct me to some good information on how to set up an IPsec tunnel using VTI with BGP to a vendor and with the use of NAT into the tunnel.

thank you

MHM Cisco World · ‎06-05-2023

You need ipsec over bgp for router or asa

EddyFonseca3815 · ‎06-06-2023

I have an ASA IPSec tunnel to a vendor to form a Routed VPN using BGP. I can BGP peer with the vendor via a VTI and use the VTI IP address as the Peering IP for the BGP exchange of traffic. what I need to know is how we would nat the private IP in this tunnel and to also adv that traffic into the BGP tunnel. I was able to add a static route to Null0 on the ASA to get this route in the route table but If I have one off or /32 IP address how would I do that without creating lots and lots of /32 null routes.

there has to be some way I can adv the public /32 or /29 into bgp without creating all these static routes entry. I also used the network statement in bgp but that also needed the static route inorder to adv the network in bgp.

if you have some information on this or past documents to guide me I would like that.

thank you

MHM Cisco World · ‎06-07-2023

these /32 route is for anyconnect that you want to forward it to other Side via VTI ?