Solved: Using The Cisco ASA FPR-2100 as a BGP border router

byme88 · ‎04-19-2023

Hi Everyone,

I have a question regarding my current ASA 2100, I have converted it to be function as an ASA platform and wonder if I can use this device as a BGP border router? The high level of the network as indicated below:

Spectrum ----> ASA 2100 ------> Fortigate 400F Firewall ------> Nexus 9K

Any suggestions are truly appreciated!

Thank you in advance

byme88

MHM Cisco World · ‎04-20-2023

this what I meaning in my topology, since you dont have edge router you will connect ASA directly to ISP.
ISP will push default route into ASA
ASA will config with OSPF area 1 NSSA and push default route toward FortiGate & NSK Core.
ASA is run router mode
you can bypass the ASA and make BGP connection between ISP and Fortigate
for more info. about bypass check below
ASA/PIX: BGP through ASA Configuration Example - Cisco

View solution in original post

MHM Cisco World · ‎04-19-2023

If you received advertise only few prefix then that OK, you can use it.

byme88 · ‎04-19-2023

Hi MHM,

Thank you for quick response. To make this post a little clearer of what we are trying to accomplish, please see below drawing and advise if this setup make sense?

If not, can you please let me know which the best way is to do this.

Note that this is a brand-new setup with 2 firewalls and Nexus switches equipment that we have on-hand (cisco and fortigate) so we are open to any suggestions.

byme88

MHM Cisco World · ‎04-19-2023

so we have two option transparent Mode or BGP pass through ASA ?
for transparent mode what is reason you choose this Op. ?

byme88 · ‎04-19-2023

I thought in Transparent mode the ASA can work as a router, but it might not support Dynamic Routing Protocols. Correct?

in BGP pass through, can you please advise how to do this? My goal is to advertise the /24 subnet to Spectrum.

Thanks,

Byme88

byme88 · ‎04-19-2023

Adding to your question of why I choose the Transparent Option: I do not have a good router that can run BGP in possession.

I only have 2 firewalls (Cisco + Fortigate) and a couple Nexus 9K (L3 Switches)

Thanks,

Byme88

MHM Cisco World · ‎04-20-2023

check below

byme88 · ‎04-20-2023

Hi MHM,

Thanks so much for the drawing! Will the ASA in this scenario be running in Route mode, or in Transparent mode?

Also, scenario still call for a router (R2) which we don't have! Can we replace with a FortiGate Firewall which has multiple VDOMs for customers behind the it?

Thanks again for taking the time to answer my questions, it is truly appreciated.

Byme88

MHM Cisco World · ‎04-20-2023

this what I meaning in my topology, since you dont have edge router you will connect ASA directly to ISP.
ISP will push default route into ASA
ASA will config with OSPF area 1 NSSA and push default route toward FortiGate & NSK Core.
ASA is run router mode
you can bypass the ASA and make BGP connection between ISP and Fortigate
for more info. about bypass check below
ASA/PIX: BGP through ASA Configuration Example - Cisco

byme88 · ‎04-20-2023

Hello MHM,

Perfect! Now I will have to figure out how to assign a /24 global IP address to several (10) VDOM behind the FortiGate. Any suggestions? Should I chop it up, give a /30 global IP address to OSPF Area 1 NSSA and the rest to 10 VDOMs on this FW proportionately?

Thanks again.

Byme88