04-19-2023 02:35 PM
Hi Everyone,
I have a question regarding my current ASA 2100, I have converted it to be function as an ASA platform and wonder if I can use this device as a BGP border router? The high level of the network as indicated below:
Spectrum ----> ASA 2100 ------> Fortigate 400F Firewall ------> Nexus 9K
Any suggestions are truly appreciated!
Thank you in advance
byme88
Solved! Go to Solution.
04-20-2023 10:53 AM
this what I meaning in my topology, since you dont have edge router you will connect ASA directly to ISP.
ISP will push default route into ASA
ASA will config with OSPF area 1 NSSA and push default route toward FortiGate & NSK Core.
ASA is run router mode
you can bypass the ASA and make BGP connection between ISP and Fortigate
for more info. about bypass check below
ASA/PIX: BGP through ASA Configuration Example - Cisco
04-19-2023 02:55 PM
If you received advertise only few prefix then that OK, you can use it.
04-19-2023 04:03 PM
Hi MHM,
Thank you for quick response. To make this post a little clearer of what we are trying to accomplish, please see below drawing and advise if this setup make sense?
If not, can you please let me know which the best way is to do this.
Note that this is a brand-new setup with 2 firewalls and Nexus switches equipment that we have on-hand (cisco and fortigate) so we are open to any suggestions.
byme88
04-19-2023 04:22 PM
so we have two option transparent Mode or BGP pass through ASA ?
for transparent mode what is reason you choose this Op. ?
04-19-2023 04:29 PM
I thought in Transparent mode the ASA can work as a router, but it might not support Dynamic Routing Protocols. Correct?
in BGP pass through, can you please advise how to do this? My goal is to advertise the /24 subnet to Spectrum.
Thanks,
Byme88
04-19-2023 04:36 PM
Adding to your question of why I choose the Transparent Option: I do not have a good router that can run BGP in possession.
I only have 2 firewalls (Cisco + Fortigate) and a couple Nexus 9K (L3 Switches)
Thanks,
Byme88
04-20-2023 04:26 AM - edited 04-20-2023 10:49 AM
check below
04-20-2023 10:16 AM
Hi MHM,
Thanks so much for the drawing! Will the ASA in this scenario be running in Route mode, or in Transparent mode?
Also, scenario still call for a router (R2) which we don't have! Can we replace with a FortiGate Firewall which has multiple VDOMs for customers behind the it?
Thanks again for taking the time to answer my questions, it is truly appreciated.
Byme88
04-20-2023 10:53 AM
this what I meaning in my topology, since you dont have edge router you will connect ASA directly to ISP.
ISP will push default route into ASA
ASA will config with OSPF area 1 NSSA and push default route toward FortiGate & NSK Core.
ASA is run router mode
you can bypass the ASA and make BGP connection between ISP and Fortigate
for more info. about bypass check below
ASA/PIX: BGP through ASA Configuration Example - Cisco
04-20-2023 11:11 AM
Hello MHM,
Perfect! Now I will have to figure out how to assign a /24 global IP address to several (10) VDOM behind the FortiGate. Any suggestions? Should I chop it up, give a /30 global IP address to OSPF Area 1 NSSA and the rest to 10 VDOMs on this FW proportionately?
Thanks again.
Byme88
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide