02-20-2015 01:26 AM - edited 02-21-2020 08:05 PM
Hello,
I wanted to ask if someone of you has some experience with BGP peering over IPSec VPN tunnels. Let's assume following topology:
ASA version 9.2(3)
ASA1 ------ VPN tunnel over the Internet ------ ASA2 ------ R1
In this scenario I would like to establish BGP peering between ASA1 and R1. Between both ASA firewalls is L2L VPN tunnel and the BGP traffic should go via this tunnel (BGP traffic should be encrypted).
I wanted to configure: neighbor (R1) update-source (inside) under router BGP command on ASA1, but unfortunately this command is not supported in version 9.2(3). According to debug messages, outgoing BGP packets from ASA1 have source IP of the outside interface from ASA1 and are not passing the L2L VPN tunnel.
Do you have any idea how to configure BGP peering between ASA1 and R1 over the L2L VPN tunnel?
Thank you,
Lukas
02-22-2015 10:24 AM
You can add outside-IP:179 to the crypto ACL if you create the tunnel between ASA1 and ASA2.
03-02-2015 12:58 AM
I recently had to setup OSPF over a VPN and initially I was expecting to use the local inside interfaces for the neighbours but it turns out you use the external interfaces. Once I had the neighbours talking to each other they did so directly outside of the VPN, despite the internal traffic being routed through the tunnel.
To solve that I added the external addresses of the ASAs to the NAT exemption rule in addition to the crypto ACL:
nat (inside,outside) source static ASA-02-OUTSIDE ASA-02-OUTSIDE destination static VPN-02-OUTSIDE VPN-02-OUTSIDE access-list acl_office-vpn extended permit ip host ASA-02-OUTSIDE host VPN-02-OUTSIDE
Hope that helps
03-02-2015 02:26 AM
Thank you for your comments guys! I just added the outside IP do the crypto ACL. BGP peering is working now.
Thank you!
09-17-2017 06:34 PM
i have a similar environment which was running IPSEC tunnel between ASA and PAN .
Now we were asked to run BGP as dynamic protocol on TOP of it.
PAN expert provided one of private /30 IP to run on both side and use public IP to establish connectivity.
Bit confused , i cannot use private /30 on ASA , as its not allowing me to create any logical or loopback interface.
i suggested them to use public IP address to estb BGP peering and add this public to crypto map statement with port 179 .
But they want to use private IP 10.252.252.2 as my peer Ip and and telling me to use 10.252.252.1 as there peer IP.
Please suggest how can i use this private IP on ASA firwall running ver 9
Regards
Kamal
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide