Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1703
Views
15
Helpful
5
Replies

Allowing BGP or OSPF through ASA?

Go to solution
CiscoPurpleBelt
Level 6
Level 6

‎04-26-2019 08:35 AM - edited ‎02-21-2020 09:37 PM

I see on some docs such as at https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/6500-bgp-pix.html that you must configure NAT in addition to allowing port 179 to allow BGP through a FW. Basically I am just trying to confirm what all must be configured to allowed BGP or OSPF communication/peering through the FW.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to CiscoPurpleBelt

‎05-02-2019 05:55 AM

I believe that some words are missing which makes it difficult to be sure what you mean. But yes you would simply configure the ASA so that the interface does participate in the dynamic routing protocol and the neighbor relationship would be formed.

 

HTH

 

Rick

HTH

Rick

View solution in original post

5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎04-26-2019 10:27 AM

Hi,
Probably best to use BGP, so yes you would need to allow TCP/179 through the firewall and potentially define a no-nat/nat exemption rule if you have a NAT/PAT rule which may have an undesired result and nat the return traffic.

HTH

Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to Rob Ingram

‎04-29-2019 12:27 PM

Right because the peering would have issues if IP address is changing. Why is it best to use BGP if the protocol must go through the FW? What about if the FW is actually participating in OSPF or BGP?
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to CiscoPurpleBelt

‎04-29-2019 01:09 PM - edited ‎04-29-2019 01:11 PM

They are 2 significantly different situations if the ASA is participating in the dynamic routing protocol or the dynamic routing protocol passes through the ASA. If the ASA is participating in the routing protocol then the routing protocol packets are received and processed by the ASA interface. There is nothing involving address translation and no access rules (other than making sure that existing access rules do not block the routing protocol packets. OSPF, EIGRP, or BGP all work just fine in this environment. If the ASA is not participating in the routing protocol and the routing protocol packets will pass through the ASA it is quite different. In this situation the routing protocol peers are in different subnets (perhaps one peer is connected to the Inside interface while the other peer is connected to DMZ). That is no problem for BGP where BGP neighbors are frequently on remote subnets. But it is a problem for protocols like OSPF or EIGRP which will establish neighbor relationships only with devices in the same subnet.

 

HTH

 

Rick

HTH

Rick

Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to Richard Burts

‎05-01-2019 07:05 PM

Ok so if the ASA were participating you would simply for the neighborship between the ASA just as you if it were a router?
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to CiscoPurpleBelt

‎05-02-2019 05:55 AM

I believe that some words are missing which makes it difficult to be sure what you mean. But yes you would simply configure the ASA so that the interface does participate in the dynamic routing protocol and the neighbor relationship would be formed.

 

HTH

 

Rick

HTH

Rick
Customers Also Viewed These Support Documents