11-15-2013 11:59 AM - edited 03-03-2019 07:13 AM
I have two internet connections. Both connections are with different providers and on two separate routers. I have two ASA’s that sit behind the routers and I proxy arp all hosted services off of the ASA’s outside interface.
I am obtaining a provider independent AS number from ARIN and would like to setup eBGP peering with each provider, accepting a default route only and advertise my leased block (let’s say 50.100.150.0/24). I’d like to prepend my AS on the ISP-B connection to ensure that it is only used as backup.
Here is the real question. I know I will need to allow TCP-179 through the ASA’s to establish the iBGP connection but because the hosts that I have at site A are proxy-arp’d off of the firewall outside interface, I need some way for traffic to come in from ISP-B, to router B and then traverse over to router A so that it can be sent to ASA-Firewall A. (please see attached diagram). What is the best way to accomplish this? GRE tunnel between the routers & through the firewalls? I have ample bandwidth and low latency between site A and B.
Thanks
11-15-2013 05:17 PM
I run iBGP between the routers in the 50.100.150.0/24 network. There's no technical need to have iBGP running on your internal network.
11-24-2013 03:08 AM
Is that orange line a direct connection between CPE routers? If yes, a direct iBGP connection is possible. If not, I suggest that you obtain one as it is almost impossible to make the ASAs stay in sync with BGP routing. (-: If you can't, then GRE could be a workaround.
Is ASA redundancy a requirement too? (I mean in case ASA-A fails, are the site-A servers supposed to be accessible via ASA-B?) If yes, you must ensure that the outgoing traffic (default route in internal network) is in sync with active ISP and asymmetric routing is prevented. You can solve that with object tracking and you need the same static NATs in both ASAs.
I would consider creating shared VLANs on ASA interfaces and form a failover pair too but it's a different setup.
11-30-2013 06:29 AM
be careful with your setup is you may end up blackwhole your traffic because you have FWs in the path
are these fairewalls statful or not ? are they clustered or standalone ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide