Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7531
Views
5
Helpful
4
Replies

ASA BGP peering over the IPSec VPN tunnel

Lukas Urbanec
Level 1
Level 1

‎02-20-2015 01:26 AM - edited ‎02-21-2020 08:05 PM

Hello,

 

I wanted to ask if someone of you has some experience with BGP peering over IPSec VPN tunnels. Let's assume following topology:

 

ASA version 9.2(3)

ASA1 ------ VPN tunnel over the Internet  ------ ASA2 ------ R1

 

In this scenario I would like to establish BGP peering between ASA1 and R1. Between both ASA firewalls is L2L VPN tunnel and the BGP traffic should go via this tunnel (BGP traffic should be encrypted).

 

I wanted to configure: neighbor (R1) update-source (inside) under router BGP command on ASA1, but unfortunately this command is not supported in version 9.2(3). According to debug messages, outgoing BGP packets from ASA1 have source IP of the outside interface from ASA1 and are not passing the L2L VPN tunnel.

 

Do you have any idea how to configure BGP peering between ASA1 and R1 over the L2L VPN tunnel?

 

Thank you,

Lukas

Labels:
0 Helpful
4 Replies 4

Peter Koltl
Level 7
Level 7

‎02-22-2015 10:24 AM

You can add outside-IP:179 to the crypto ACL if you create the tunnel between ASA1 and ASA2.

0 Helpful

james.tucker
Level 1
Level 1
In response to Peter Koltl

‎03-02-2015 12:58 AM

I recently had to setup OSPF over a VPN and initially I was expecting to use the local inside interfaces for the neighbours but it turns out you use the external interfaces. Once I had the neighbours talking to each other they did so directly outside of the VPN, despite the internal traffic being routed through the tunnel.

To solve that I added the external addresses of the ASAs to the NAT exemption rule in addition to the crypto ACL:

 

nat (inside,outside) source static ASA-02-OUTSIDE ASA-02-OUTSIDE destination static VPN-02-OUTSIDE VPN-02-OUTSIDE

access-list acl_office-vpn extended permit ip host ASA-02-OUTSIDE host VPN-02-OUTSIDE

Hope that helps

0 Helpful

Lukas Urbanec
Level 1
Level 1
In response to james.tucker

‎03-02-2015 02:26 AM

Thank you for your comments guys! I just added the outside IP do the crypto ACL. BGP peering is working now.

 

Thank you!

kamalsoin
Level 1
Level 1
In response to Lukas Urbanec

‎09-17-2017 06:34 PM

i have a similar environment which was running IPSEC tunnel between ASA and PAN .

Now we were asked to run BGP as dynamic protocol on TOP of it.

 

PAN expert provided one of private /30 IP to run on both side and use public IP to establish connectivity.

Bit confused , i cannot use private /30 on ASA , as its not allowing me to create any logical or loopback interface.

i suggested them to use public IP address to estb BGP peering and add this public to crypto map statement with port 179 .

But they want to use private IP 10.252.252.2 as my peer Ip and and telling me to use 10.252.252.1 as there peer IP.

Please suggest how can i use this private IP on ASA firwall running ver 9

 

Regards

Kamal

0 Helpful
Customers Also Viewed These Support Documents