Cisco asa bgp support

Cisco asa bgp support DEFAULT

Pureport Support

VPN Config Guide: Cisco ASA + - Route Based BGP VPN

Created by: Kevin Kruger

Modified on: Mon, 6 Jul, at PM


Connecting to a Cisco ASA

This article describes how to connect and configure a single Cisco ASA firewall with firmware version or later to connect to Pureport via a Route Based BGP VPN. This allows you to grow your network without having to manage Traffic Selectors and Route Tables.

Prerequisites

Before connecting to a Cisco ASA, you must have a Pureport Route-Based BGP VPN Connection using IKEv2. See "Connecting to a Site VPN - Route-Based with BGP" for details.

You must also gather the following information: 

  • The Encryption, Integrity, and DH Group mechanisms from the Pureport Console.
  • Primary Pureport Gateway IP
  • Secondary Pureport Gateway IP
  • Primary Gateway Pre-shared Key
  • Secondary Gateway Pre-shared Key
  • Primary Gateway BGP password
  • Secondary Gateway BGP Password
  • The Primary Gateway Customer VTI IP in CIDR format.
  • The Primary Gateway Pureport VTI IP
  • The Secondary Gateway Customer VTI IP in CIDR format.
  • The Secondary Gateway Pureport VTI IP
  • Pureport ASN
  • Customer ASN

You can find this information in your Site IPSec VPN connections, as shown here:

Example Configuration

This example builds an HA IPSEC VPN between a customer-premises device and the Pureport platform. The configuration consists of two separate tunnels built on a single commercial broadband connection and single peer IP at the location. For information on connecting a second redundant ISP in an active/active scenario, refer to the Cisco support portal.

Note: These examples provide a baseline configuration only. You must adapt these examples to your specific environment.

  1. Create a Pureport compatible IKE Crypto Policythat supports Pureport's crypto set:

    crypto ikev2 enable 'outside'

    group-policy Pureport internal

    group-policy Pureport attributes

      vpn-tunnel-protocol ikev2

    crypto isakmp identity address 

    crypto ikev2 policy

      group 14

      encryption aes aes aes

      integrity sha sha sha

      prf sha sha sha

    exit


  2. Create the Primary Tunnel Group and Pre-shared Key:

    tunnel-group <Pureport Primary Gateway IP> type ipsec-l2l

    tunnel-group <Pureport Primary Gateway IP> general-attributes

      default-group-policy Pureport

    tunnel-group <Pureport Primary Gateway IP> ipsec-attributes

      ikev2 local-authentication pre-shared-key <Primary pre-shared key>

      ikev2 remote-authentication pre-shared-key <Primary pre-shared key>

      isakmp keepalive threshold 10 retry 2



  3. Create the IPSec transform set that defines encryption, authentication, and IPSec mode parameters:

    crypto ipsec ikev2 ipsec-proposal Pureport

      protocol esp encryption aes aes aes

      protocol esp integrity sha sha sha

    crypto ipsec profile PureportProfile

      set ikev2 ipsec-proposal Pureport

      set pfs group14

    exit



  4. Configure Tunnel #1 interface:

    interface Tunnel1

      nameif Tunnel-int-pureport-0

      ip address

      tunnel source interface 'outside'

      tunnel destination <Pureport Primary Gateway IP>

      tunnel mode ipsec ipv4

      tunnel protection ipsec profile PureportProfile

      no shutdown

    exit


  5. Create a route-map to be applied to your primary connection

    route-map PRIMARY permit 10

     set metric

  1. Configure BGP on Tunnel #1, applying the route-maps we created above:

    router bgp <Customer ASN>

     bgp log-neighbor-changes

     bgp bestpath compare-routerid

     bgp graceful-restart

     address-family ipv4 unicast

      neighbor <Primary Pureport VTI IP> remote-as <Pureport ASN>

      neighbor <Primary Pureport VTI IP> timers 10 30 30

      neighbor <Primary Pureport VTI IP> password <BGP Primary password>

      neighbor <Primary Pureport VTI IP> activate

      neighbor <Primary Pureport VTI IP> next-hop-self

      no  neighbor <Primary Pureport VTI IP> default-originate

      neighbor <Primary Pureport VTI IP> route-map PRIMARY out

      network <Your local network> mask <Your network subnet mask>

      no auto-summary

      no synchronization

     exit-address-family



  2. Create the Secondary Tunnel Group and Pre-shared Key:

    tunnel-group <Pureport Secondary Gateway IP> type ipsec-l2l

    tunnel-group <Pureport Secondary Gateway IP> general-attributes

      default-group-policy Pureport

    tunnel-group <Pureport Secondary Gateway IP> ipsec-attributes

      ikev2 local-authentication pre-shared-key <Secondary pre-shared key>

      ikev2 remote-authentication pre-shared-key <Secondary pre-shared key>

      isakmp keepalive threshold 10 retry 2



  3. If you didn't do this in Step 3, create an IPSec transform set that defines encryption, authentication, and IPSec mode parameters for Tunnel#2:

    crypto ipsec ikev2 ipsec-proposal Pureport

      protocol esp encryption aes aes aes

      protocol esp integrity sha sha sha

      crypto ipsec profile PureportProfile

      set ikev2 ipsec-proposal Pureport

      set pfs group14

    exit



  4. Configure Tunnel #2 interface:

    interface Tunnel2

      nameif Tunnel-int-pureport-1

      ip address

      tunnel source interface 'outside'

      tunnel destination <Secondary Pureport Gateway IP>

      tunnel mode ipsec ipv4

      tunnel protection ipsec profile PureportProfile

      no shutdown

    exit


  5. Because the Cisco ASA is not capable of automatically failing over VTI tunnels, we will use the route-map functionality to prefer the Primary VTI. Return traffic is also preferred down the Primary VTI by pre-pending the local Customer ASN to the Secondary VTI AS path, creating a longer (less preferred) AS path and setting the route metric to a less preferred value. This is done both inbound and outbound BGP.

    route-map BACKUP permit 10

     set metric

     set as-path prepend last-as 1



  6. Configure BGP on Tunnel #2:

    router bgp

      bgp log-neighbor-changes

      bgp bestpath compare-routerid

      bgp graceful-restart

      address-family ipv4 unicast

      neighbor <Secondary Pureport VTI IP> remote-as <Pureport ASN>

      neighbor <Secondary Pureport VTI IP>  timers 10 30 30

      neighbor <Secondary Pureport VTI IP>  password <BGP Secondary password>

      neighbor <Secondary Pureport VTI IP>  activate

      neighbor <Secondary Pureport VTI IP>  next-hop-self

      no  neighbor <Secondary Pureport VTI IP>  default-originate

      neighbor <Secondary Pureport VTI IP>  route-map BACKUP out

      network <Your local network> mask <Your network subnet mask>

      no auto-summary

      no synchronization

     exit-address-family



Testing IPSEC VPN Tunnel Connectivity

When using BGP, the routing table will automatically update if one of the tunnels disconnect. 

  1. To verify BGP peering is established, check the route table from or via the CLI with this command:

    The system displays the current BGP routes in the ASA route table. Note that the Primary VTI is preferred.

  2. To see all BGP routes, use:


  3. To confirm that your tunnels have successfully established connection to your Pureport Gateways, from a system in your local network, ping the Primary Pureport VTI IP address. A successful ping will transmit all packets with no losses.

    To ping the the Primary Gateway Pureport VTI, use:


Kevin is the author of this solution article.

Did you find it helpful? Yes No

Send feedback

Sorry we couldn't be helpful. Help us improve this article with your feedback.

Sours: https://help.pureport.com/support/solutions/articles/vpn-config-guide-cisco-asaroute-based-bgp-vpn

ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide,

Configure BGP

This section describes how to enable and configure the BGP process on your system.

Procedure



Enable BGP

This section describes the steps required to enable BGP routing, establish a BGP routing process and configure general BGP parameters.

Procedure


Step 1

For single-mode, in ASDM, choose .

Note 

For multi-mode, in ASDM choose Configuration > Context Management > BGP. After enabling BGP, switch to a security context and enable BGP by choosing Configuration > Device Setup > Routing > BGP  > General.

Step 2

Check the Enable BGP Routing check box.

Step 3

In the AS Number field, enter the autonomous system (AS) number for the BGP process. The AS number internally includes multiple autonomous numbers. The AS number can be from 1 to or from to XX.YY.

Step 4

(Optional) Check the Limit the number of AS numbers in the AS_PATH attribute of received routes check box to restrict the number of AS numbers in AS_PATH attribute to a specific number. Valid values are from 1 to

Step 5

(Optional) Check the Log neighbor changes check box to enable logging of BGP neighbor changes (up or down) and resets. This helps in troubleshooting network connectivity problems and measuring network stability.

Step 6

(Optional) Check the Use TCP path MTU discovery check box to use the Path MTU Discovery technique to determine the maximum transmission unit (MTU) size on the network path between two IP hosts. This avoids IP fragmentation.

Step 7

(Optional) Check the Enable fast external failover check box to reset the external BGP session immediately upon link failure.

Step 8

(Optional) Check the Enforce that first AS is peer’s AS for EBGP routes check box to discard incoming updates received from external BGP peers that do not list their AS number as the first segment in the AS_PATH attribute. This prevents a mis-configured or unauthorized peer from misdirecting traffic by advertising a route as if it was sourced from another autonomous system.

Step 9

(Optional) Check the Use dot notation for AS numbers check box to split the full binary 4-byte AS number into two words of 16 bits each, separated by a dot. AS numbers from are represented as decimal numbers and AS numbers larger than are represented using the dot notation.

Step 10

Specify the timer information in the Neighbor timers area:

  1. In the Keepalive interval field, enter the time interval for which the BGP neighbor remains active after not sending a keepalive message. At the end of this keepalive interval, the BGP peer is declared dead, if no messages are sent. The default value is 60 seconds.

  2. In the Hold Time field, enter the time interval for which the BGP neighbor remains active while a BGP connection is being initiated and configured.The default values is seconds.

  3. (Optional) In the Min. Hold Time field, enter the minimum time interval for which the he BGP neighbor remains active while a BGP connection is being initiated and configured. Specify a value from 0 to

Step 11

(Optional) In the Non Stop Forwarding section do the following:

  1. Check the Enable Graceful Restart check box to enable ASA peers to avoid a routing flap following a switchover.

  2. In the Restart Time field, enter the time duration that ASA peers will wait to delete stale routes before a BGP open message is received. The default value is seconds. Valid values are between 1 and seconds.

  3. In the Stale Path Time field, enter the time duration that the ASA will wait before deleting stale routes after an end of record (EOR) message is received from the restarting ASA. The default value is seconds. Valid values are between 1 and seconds.

Step 12

Click OK.

Step 13

Click Apply.


Define the Best Path for a BGP Routing Process

This section describes the steps required to configure the BGP best path. For more information on the best path, see BGP Path Selection.

Procedure


Step 1

In ASDM, choose .

The Best Path configuration pane appears.

Step 2

In the Default Local Preference field, specify a value between 0 and The default value is Higher values indicate higher preference. This preference is sent to all routers and access servers in the local autonomous system.

Step 3

Check the Allow comparing MED from different neighbors check box to allow the comparison of Multi Exit Discriminator (MED) for paths from neighbors in different autonomous systems.

Step 4

Check the Compare router-id for identical EBGP paths check box to compare similar paths received from external BGP peers during the best path selection process and switch the best path to the route with the lowest router ID.

Step 5

Check the Pick the best MED path among paths advertised from the neighboring AS check box to enable MED comparison among paths learned from confederation peers.add a new network entry. The comparison between MEDs is made only if no external autonomous systems are there in the path.

Step 6

Check the Treat missing MED as the least preferred one check box to consider the missing MED attribute as having a value of infinity, making this path the least desirable; therefore, a path with a missing MED is least preferred.

Step 7

Click OK.

Step 8

Click Apply.


Configure Policy Lists

When a policy list is referenced within a route map, all of the match statements within the policy list are evaluated and processed. Two or more policy lists can be configured with a route map. A policy list can also coexist with any other preexisting match and set statements that are configured within the same route map but outside of the policy list. This section describes the steps required to configure policy lists.

Procedure


Step 1

In ASDM, choose .

Step 2

Click Add.

The Add Policy List dialog box appears. From this dialog box, you can add a policy list name, its redistribution access (that is, permit or deny), match interfaces, specify IP addresses, match the AS path, match community names list, match metrices, and match tag numbers.

Step 3

In the Policy List Name field, enter a name for the policy list.

Step 4

Click the Permit or Deny radio button to indicate the redistribution access.

Step 5

Check the Match Interfaces check box to distribute routes that have their next hop out of one of the interfaces specified and do one of the following:

  • In the Interface field, enter the interface name.
  • In the Interface field, click the ellipses to manually browse and locate the interface. Choose one or more interfaces, click Interface, then click OK.
Step 6

In the Specify IP area, configure the following:

  1. Check the Match Address check box to redistribute any routes that have a destination network number address that is permitted by a standard access list or prefix list, and performs policy routing on packets.

    Specify an access list / prefix list or click the ellipses to manually browse and locate an access list. Choose one or more access lists, click Access List, then click OK.

  2. Check the Match Next Hop check box to redistribute any routes that have a next hop router address passed by one of the access lists or prefix lists specified.

    Specify an access list/ prefix list or click the ellipses to manually browse and locate an access list. Choose one or more access lists, click Access List, then click OK.

  3. Check the Match Route Source check box to redistribute routes that have been advertised by routers and access servers at the address specified by the access lists or prefix list.

    Specify an access list/ prefix list or click the ellipses to manually browse and locate an access list. Choose one or more access lists, click Access List, then click OK.

Step 7

Check the Match AS Path check box to match a BGP autonomous system path.

Specify an AS path filter or click the ellipses to manually browse and locate the AS Path Filter. Choose one or more AS Path Filters, click AS Path Filter, then click OK.

Step 8

Check the Match Community Names List check box to match a BGP community.

  1. Specify a community rule or click the ellipses to manually browse and locate the community rules.Choose one or more community rules, click Community Rules, then click OK.

  2. Check the Match the specified community exactly check box to match a specific BGP community.

Step 9

Check the Match Metrices check box to redistribute routes with the metric specified. If you specify more than one metric, the routes can be matched with either metric.

Step 10

Check the Match Tag Numbers check box to redistribute routes in the routing table that match the specified tags. If you specify more than one tag number, routes can be matched with either metric.

Step 11

Click OK.

Step 12

Click Apply.


Configure AS Path Filters

An AS path filter allows you to filter the routing update message by using access lists and look at the individual prefixes within an update message. If a prefix within the update message matches the filter criteria then that individual prefix is filtered out or accepted depending on what action the filter entry has been configured to carry out. This section describes the steps required to configure AS path filters.


Note

The as-path access-lists are not the same as the regular firewall ACLs.


Procedure


Step 1

In ASDM, choose .

Step 2

Click Add.

The Add Filter dialog box appears. From this dialog box, you can add a filter name, its redistribution access (that is, permit or deny), and regular expression.

Step 3

In the Name field, enter a name for the AS Path Filter.

Step 4

Click the Permit or Deny radio button to indicate the redistribution access.

Step 5

Specify the regular expression. ClickBuild to build regular expression.

Step 6

Click Test to test if a regular expression matches a string of your choice.

Step 7

ClickOK.

Step 8

Click Apply.


Configure Community Rules

A community is a group of destinations that share some common attribute. You can use community lists to create groups of communities to use in a match clause of a route map. Just like an access list, a series of community lists can be created. Statements are checked until a match is found. As soon as one statement is satisfied, the test is concluded. This section describes the steps required to configure community rules.

Procedure


Step 1

In ASDM, choose

Step 2

Click Add.

The Add Community Rule dialog box appears. From this dialog box, you can add a rule name, rule type, its redistribution access (that is, permit or deny) and specific communities.

Step 3

In the Rule Name field, enter a name for the community rule.

Step 4

Click Standard or Expanded radio button to indicate the community rule type.

Step 5

Click Permit or Deny radio button to indicate the redistribution access.

Step 6

To add Standard Community Rules:

  1. In the Communities field, specify a community number. Valid values are from 1 to

  2. (Optional) Check the Internet (well-known community) check box to specify the Internet community. Routes with this community are advertised to all peers (internal and external).

  3. (Optional) Check the Do not advertise to any peers (well-known community) check box to specify the no-advertise community. Routes with this community are not advertised to any peer (internal or external).

  4. (Optional) Check the Do not export to next AS (well-known community) check box to specify the no-export community. Routes with this community are advertised to only peers in the same autonomous system or to only other sub-autonomous systems within a confederation. These routes are not advertised to external peers.

Step 7

To add expanded community rules:

  1. In theRegular Expression field, enter a regular expression. Alternately, Click Build to build regular expression.

  2. Click Test to examine if the regular expression built, matches a string of your choice.

Step 8

Click OK.

Step 9

Click Apply.


Configure IPv4 Address Family Settings

The IPv4 settings for BGP can be set up from the IPv4 family option within the BGP configuration setup. The IPv4 family section includes subsections for General settings, Aggregate address settings, Filtering settings and Neighbor settings. Each of these subsections enable you to customize parameters specific to the IPv4 family.

Configure IPv4 Family General Settings

This section describes the steps required to configure the general IPv4 settings.

Procedure

Step 1

In ASDM, choose .

Step 2

Click General.

The General IPv4 family BGP parameters configuration pane is displayed.

Step 3

Specify External, Internal and Local distances in the Administrative Distances area.

Step 4

Choose a route map name from the Learned Routes Map drop-down list. Click Manage to add and configure route maps.

Step 5

(Optional) Check theGenerate Default Route check box to configure a BGP routing process to distribute a default route (network ).

Step 6

(Optional) Check the Summarize subnet routes into network-level routes check box to configure automatic summarization of subnet routes into network-level routes.

Step 7

(Optional) Check the Advertise inactive routes check box to advertise routes that are not installed in the routing information base (RIB).

Step 8

(Optional) Check the Redistribute iBGP into an IGP check box to configure iBGP redistribution into an interior gateway protocol (IGP), such as IS-IS or OSPF.

Step 9

(Optional) Enter a scanning interval (in seconds) for BGP routers for next-hop validation in the Scanning Interval field. Valid values are from 5 to 60 seconds.

Step 10

(Optional) Check the Enable address tracking check box to enable BGP next hop address tracking. Specify the delay interval between checks on updated next-hop routes installed in the routing table in the Delay Interval field.

Step 11

(Optional) Specify the maximum number of parallel internal Border Gateway Protocol (iBGP) routes that can be installed in a routing table in the Number of paths field and check the iBGP multipaths check box.

Step 12

ClickApply .


Configure IPv4 Family Aggregate Address Settings

This section describes the steps required to define the aggregation of specific routes into one route.

Procedure

Step 1

In ASDM, choose .

Step 2

Click Aggregate Address.

The Aggregate Address parameters configuration pane is displayed.

Step 3

ClickAdd .

The Add Aggregate Address pane is displayed.

Step 4

Specify a network object in the Network field.

Step 5

Check the Generate autonomous system set path information check box to generate autonomous system set path information.

Step 6

Check the Filters all more- specific routes from the updates check box to filter all more-specific routes from updates.

Step 7

Choose a route-map from the Attribute Map drop-down list. Click Manage to add or configure a route map.

Step 8

Choose a route-map from the Advertise Map drop-down list. Click Manage to add or configure a route.

Step 9

Choose a route-map from the Suppress Map drop-down list. Click Manage to add or configure a route.

Step 10

Click OK.

Step 11

Specify a value for the aggregate timer (in seconds) in the Aggregate Timer field. Valid values are 0 or any value between 6 and

Step 12

Click Apply.


Configure IPv4 Family Filtering Settings

This section describes the steps required to filter routes or networks received in incoming BGP updates.

Procedure

Step 1

Choose .

Step 2

Click Filtering.

The Define filters for BGP updates pane is displayed.

Step 3

Click Add.

The Add Filter pane is displayed.

Step 4

Choose a direction from the Direction drop-down list. The direction will specify if the filter should be applied to inbound updates or outbound updates.

Step 5

Choose a standard access list from the Access List drop-down list. Click Manage to add a new ACL.

Step 6

For outbound filters, you can optionally specify what types of route are distributed.

  1. Choose an option from the Protocol drop-down list.

    You can choose a routing protocol, such as BGP, EIGRP, OSPF, or RIP.

    Choose Connected to filter on peers and networks learned through connected routes.

    Choose Static to filter on peers and networks learned through static routes.

  2. If you chose BGP, EIGRP, or OSPF, also choose the Process ID for that protocol.

Step 7

Click OK.

Step 8

Click Apply.


Configure IPv4 Family BGP Neighbor Settings

This section describes the steps required to define BGP neighbors and neighbor settings.

Procedure

Step 1

In ASDM, choose >Routing.

Step 2

Click Neighbor.

Step 3

Click Add.

Step 4

ClickGeneral in the left pane.

Step 5

Enter a BGP neighbor IP address in the IP Address field. This IP address is added to the BGP neighbor table.

Step 6

Enter the autonomous system to which the BGP neighbor belongs in the Remote AS field.

Step 7

(Optional) Enter a description for the BGP neighbor in theDescription field.

Step 8

(Optional) Check the Shutdown neighbor administratively check box to disable a neighbor or peer group.

Step 9

(Optional) Check theEnable address family check box to enable communication with the BGP neighbor.

Sours: https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/asdm77/general/asdmgeneral-config/route-bgp.html
  1. Hp laptop decals
  2. Bob wards store
  3. Abkc puppies
  4. Honda accord 1994

Cisco ASA: BGP routing

Technology: FIREWALLS

Area: Traffic restrictions

Vendor: CISCO

Software: CISCO ADAPTIVE SECURITY APPLIANCE (ASA) , ASA-OS, +

Platform: CISCO ASA , X

 

BGP runs between routers in different autonomous systems (or the same and then it is called iBGP). BGP routing is supported in Active/Standby and Active/Active HA configurations. Only the Active unit listens on TCP port for BGP connections from peers.

 

To configure BGP configuration use command below:

BGP routing on Cisco ASA

 

BGP routing configuration example (external BGP – eBGP):

 

Read about the BGP Communities

Author: Marcin Bialy

 

PreviousNextSours: https://www.grandmetric.com/knowledge-base/design_and_configure/how-to-configure-bgp-on-cisco-asa/
Security - Configuring ASA BGP, Redistribution and troubleshooting

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide,

Configure BGP

This section describes how to enable and configure the BGP process on your system.

Procedure



Enable BGP

This section describes the steps required to enable BGP routing, establish a BGP routing process and configure general BGP parameters.

Procedure


Step 1

Enable a BGP routing process, which places the ASA in router configuration mode:

router bgp autonomous-num

Example:

Valid values for autonomous-num are from and XX.YY.

Step 2

Discard routes that have as-path segments that exceed a specified value:

bgp maxas-limit number

Example:

The number argument specifies the maximum number of autonomous system segments, allowed. Valid values are from 1 to

Step 3

Log BGP neighbor resets:

bgp log-neighbor-changes

Step 4

Enable BGP to automatically discover the best TCP path MTU for each BGP session:

bgp transport path-mtu-discovery

Step 5

Enable BGP to terminate external BGP sessions of any directly adjacent peer if the link used to reach the peer goes down; without waiting for the hold-down timer to expire:

bgp fast-external-fallover

Step 6

Allow a BGP routing process to discard updates received from an external BGP (eBGP) peers that do not list their autonomous system (AS) number as the first AS path segment in the AS_PATH attribute of the incoming route:

bgp enforce-first-as

Step 7

Change the default display and regular expression match format of BGP 4-byte autonomous system numbers from asplain (decimal values) to dot notation:

bgp asnotation dot

Step 8

Adjust BGP network timers:

timers bgp keepalive holdtime [min-holdtime]

Example:

  • keepalive — frequency (in seconds) with which the ASA sends keepalive messages to its peer. The default value 60 seconds.

  • holdtime — interval (in seconds) after not receiving a keepalive message that the ASA declares a peer dead. The default is seconds.

  • (Optional) min-holdtime — interval (in seconds) after not receiving a keepalive message from a neighbor, that the ASA declares a neighbor dead.

Step 9

Enable BGP graceful restart capability:

bgp graceful-restart [restart-time seconds|stalepath-time seconds][all]

Example:

  • restart-time — maximum time period (in seconds) that the ASA will wait for a graceful-restart-capable neighbor to return to normal operation after a restart event occurs. The default is seconds. Valid values are from 1 to seconds.

  • stalepath-time — maximum time period (in seconds) that the ASA will hold stale paths for a restarting peer. All stale paths are deleted after this timer expires. The default value is seconds. Valid values are from 1 to seconds.


Define the Best Path for a BGP Routing Process

This section describes the steps required to configure the BGP best path. For more information on the best path, see BGP Path Selection.

Procedure


Step 1

Enable a BGP routing process, which places the ASA in router configuration mode:

router bgp autonomous-num

Example:

Step 2

Change the default local preference value:

bgp default local-preference number

Example:

The number argument is any value between 0 and Higher values indicate higher preference.

The default value is

Step 3

Enable Multi Exit Discriminator (MED) comparison among paths learned from neighbors in different autonomous systems:

bgp always-compare-med

Step 4

Compare between similar routes received from external BGP (eBGP) peers during the best path selection process and switch the best path to the route with the lowest router ID:

bgp bestpath compare-routerid

Step 5

Select the best MED path advertised from the neighboring AS:

bgp deterministic-med

Step 6

Set a path with a missing MED attribute as the least preferred path:

bgp bestpath med missing-as-worst


Configure Policy Lists

When a policy list is referenced within a route map, all of the match statements within the policy list are evaluated and processed. Two or more policy lists can be configured with a route map. A policy list can also coexist with any other preexisting match and set statements that are configured within the same route map but outside of the policy list. This section describes the steps required to configure policy lists.

Procedure


Step 1

Create a BGP policy list.

policy-list {permit | deny}

The permit keyword allows access for matching conditions.

The deny keyword denies access for matching conditions.

Example:

Step 2

Distribute routes that have their next hop out of one of the interfaces specified:

match interface [ [] […]]

Example:

Step 3

Redistribute routes by matching either or all of the following: the destination address, next hop router address, and router/access server source:

match ip {address | next-hop | route-source}

Step 4

Match a BGP autonomous system path:

match as-path

Step 5

Match a BGP community:

match community { | exact-match}

  • — one or more community lists.

  • exact-match — indicates that an exact match is required. All of the communities and only those communities specified must be present.

Example:

Step 6

Redistribute routes with the metrics specified:

match metric [ […]]

Step 7

Redistribute routes in the routing table that match the specified tags:

match tag [ […]]


Configure AS Path Filters

An AS path filter allows you to filter the routing update message by using access lists and look at the individual prefixes within an update message. If a prefix within the update message matches the filter criteria then that individual prefix is filtered out or accepted depending on what action the filter entry has been configured to carry out. This section describes the steps required to configure AS path filters.


Note

The as-path access-lists are not the same as the regular firewall ACLs.


Procedure


Configure an autonomous system path filter using a regular expression in the global configuration mode:

as-path access-list acl-number {permit|deny} regexp

Example:

  • — AS-path access-list number. Valid values are from 1 to

  • regexp — regular expression that defines the AS-path filter. The autonomous system number is expressed in the range from 1 to


Configure Community Rules

A community is a group of destinations that share some common attribute. You can use community lists to create groups of communities to use in a match clause of a route map. Just like an access list, a series of community lists can be created. Statements are checked until a match is found. As soon as one statement is satisfied, the test is concluded. This section describes the steps required to configure community rules.

Procedure


Create or configure a BGP community list and control access to it:

community-list {standard| community list-name {deny|permit} [community-number] [AA:NN] [internet] [no-advertise][no-export]}| {expanded|expanded list-name {deny| permit}regexp}

Example:

  • standard — configures a standard community list using a number from 1 to 99 to identify one or more permit or deny groups of communities.

  • (Optional) community-number — community as a bit number from 1 to A single community can be entered or multiple communities can be entered, each separated by a space.

  • AA:NN — an autonomous system number and network number entered in the 4-byte new community format. This value is configured with two 2-byte numbers separated by a colon. A number from 1 to can be entered for each 2-byte number. A single community can be entered or multiple communities can be entered, each separated by a space.

  • (Optional) internet — specifies the Internet community. Routes with this community are advertised to all peers (internal and external).

  • (Optional) no-advertise — specifies the no-advertise community. Routes with this community are not advertised to any peer (internal or external).

  • (Optional) no-export — specifies the no-export community. Routes with this community are advertised to only peers in the same autonomous system or to only other subautonomous systems within a confederation. These routes are not advertised to external peers.

  • (Optional) expanded— configures an expanded community list number from to to identify one or more permit or deny groups of communities.

  • regexp — regular expression that defines the AS-path filter. The autonomous system number is expressed in the range from 1 to

    Note 

    Regular expressions can be used only with expanded community lists.


Configure IPv4 Address Family Settings

The IPv4 settings for BGP can be set up from the IPv4 family option within the BGP configuration setup. The IPv4 family section includes subsections for General settings, Aggregate address settings, Filtering settings and Neighbor settings. Each of these subsections enable you to customize parameters specific to the IPv4 family.

Configure IPv4 Family General Settings

This section describes the steps required to configure the general IPv4 settings.

Procedure

Step 1

Enable a BGP routing process, which places the router in router configuration mode:

router bgp autonomous-num

Example:
Step 2

Enter address family configuration mode to configure a routing session using standard IP Version 4 (IPv4) address prefixes:

address-family ipv4 [unicast]

The keyword unicast specifies IPv4 unicast address prefixes. This is the default, even if not specified.

Step 3

(Optional) Configure a fixed router ID for the local BGP routing process:

bgp router-id A.B.C.D

Example:

The argument A.B.C.D specifies a router identifier in the form of an IP address. If you do not specify a router ID, it is automatically assigned.

Step 4

(Optional) Configure a cluster pool of IP addresses in the Individual Interface (L3) mode:

bgp router-id cluster-pool

Example:
Note 

In an L3 cluster, you cannot define a BGP neighbor as one of the cluster pool IP addresses.

Step 5

Configure the administrative distance for BGP routes:

distance bgp external-distance internal-distance local-distance

Example:
  • external-distance — administrative distance for external BGP routes. Routes are external when learned from an external autonomous system. The range of values for this argument are from 1 to

  • internal-distance — administrative distance for internal BGP routes. Routes are internal when learned from peer in the local autonomous system. The range of values for this argument are from 1 to

  • local-distance — administrative distance for local BGP routes. Local routes are those networks listed with a network router configuration command, often as back doors, for the router or for the networks that is being redistributed from another process. The range of values for this argument are from 1 to

Step 6

Modify metric and tag values when the IP routing table is updated with BGP learned routes:

table-map {WORD|route-map_name}

Example:

The argument route-map_name specifies the route map name from the route-map command.

Step 7

Configure a BGP routing process to distribute a default route (network ):

default-information originate

Step 8

Configure automatic summarization of subnet routes into network-level routes:

auto-summary

Step 9

Suppress the advertisement of routes that are not installed in the routing information base (RIB):

bgp suppress-inactive

Step 10

Synchronize between BGP and your Interior Gateway Protocol (IGP) system:

synchronization

Step 11

Configure iBGP redistribution into an IGP, such as OSPF:

bgp redistribute-internal

Step 12

Configure scanning intervals of BGP routers for next hop validation:

bgp scan-time scanner-interval

Example:

The argument scanner-interval specifies scanning interval of BGP routing information. Valid values are from 5 to 60 seconds. The default is 60 seconds.

Step 13

Configure BGP next-hop address tracking:

bgp nexthop trigger {delay seconds|enable}

Example:
  • trigger — specifies the use of BGP next-hop address tracking. Use this keyword with the delay keyword to change the next-hop tracking delay. Use this keyword with the enable keyword to enable next-hop address tracking.

  • delay — changes the delay interval between checks on updated next-hop routes installed in the routing table.

  • seconds — specifies the delay in seconds. Range is from 0 to Default is 5.

  • enable — enables BGP next-hop address tracking immediately.

Step 14

Control the maximum number of parallel iBGP routes that can be installed in a routing table:

maximum-paths {number_of_paths|ibgp number_of_paths}

Example:
Note 

If the ibgp keyword is not used, then the number_of_paths argument controls the maximum number of parallel EBGP routes.

The number_of_paths argument specifies the number of routes to install to the routing table. Valid values are between 1 and 8.


Configure IPv4 Family Aggregate Address Settings

This section describes the steps required to define the aggregation of specific routes into one route.

Procedure

Step 1

Enable a BGP routing process, which places the ASA in router configuration mode:

router bgp autonomous-num

Example:
Step 2

Enter address family configuration mode to configure a routing session using standard IP Version 4 (IPv4) address prefixes:

address-family ipv4 [unicast]

The keyword unicast specifies IPv4 unicast address prefixes. This is the default, even if not specified.

Step 3

Create an aggregate entry in a BGP database:

aggregate-address address mask [as-set][summary-only][suppress-map map-name][advertise-map map-name][attribute-map map-name]

Example:
  • address — the aggregate address.

  • mask — the aggregate mask.

  • map-name — the route map.

  • (Optional) as-set — generates autonomous system set path information.

  • (Optional) summary-only — filters all more-specific routes from updates.

  • (Optional) Suppress-map map-name —specifies the name of the route map used to select the routes to be suppressed.

  • (Optional) Advertise-map map-name — specifies the name of the route map used to select the routes to create AS_SET origin communities.

  • (Optional) Attribute-map map-name — specifies the name of the route map used to set the attribute of the aggregate route.


Configure IPv4 Family Filtering Settings

This section describes the steps required to filter routes or networks received in incoming BGP updates.

Procedure

Step 1

Enable a BGP routing process and enter router configuration mode:

router bgp

Example:
Step 2

Enter address family configuration mode to configure a routing session using standard IP Version 4 (IPv4) address prefixes:

address-family ipv4 [unicast]

The keyword unicast specifies IPv4 unicast address prefixes. This is the default, even if not specified.

Sours: https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asageneral-config/route-bgp.html

Support cisco asa bgp

ASA Border Gateway Protocol Configuration Example

Introduction

This document describes the steps required to enable Border Gateway Protocol (BGP) (eBGP/iBGP) routing, establish a BGP routing process, configure general BGP parameters, route-filtering on an Adaptive Security Appliance (ASA), and troubleshoot neighborship related issues. This feature was introduced in ASA Software Version

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

Components Used

This document is based on Cisco ASA X Series Firewall that runs Cisco ASA Software Version

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Background Information

Guidelines and Limitations

  • The BGP IPv4 address family is supported in both single mode and multi-mode.
  • Multi-mode is equivalent to the Cisco IOS® BGP VPNv4 (VPN Routing and Forwarding (VRF) address family). Per context router, BGP is similar to per VRF IPv4 address family in Cisco IOS.
  • Only one Autonomous System (AS) number is supported for all contexts similar to one global AS for all address families in Cisco IOS.
  • The AS number should be configured with the use of the router bgp <as_num> command which can be used in order to enable per context address family.
  • BGP has six processes that support all of the contexts, and the details are available with the show process command. These processes are BGP Task, BGP Scheduler, BGP Scanner, BGP Router, BGP I/O, and BGP Event. ASA-1(config)# show proc | in BGP
    Mwe 0xd0 0xffecc8ca5c8 0x
    0 0xffecc8c27c0 / BGP Task
    Mwe 0xfb3acd 0xffecba47b48 0x
    11 0xffecba3fd00 / BGP Scheduler
    Lwe 0xfd3e40 0xffecde8 0x
    26 0xffecd32f5f0 / BGP Scanner
    Mwe 0xfd70b9 0xffecdcd8 0x
    10 0xffecdeb0 / BGP Router
    Mwe 0xfc9f84 0xffecd32f3e8 0x
    2 0xffecda0 / BGP I/O
    Mwe 0xc 0xffecd33f 0x
    0 0xffecd / BGP Event
  • The system context has global configurations common to all the contexts similar to Cisco IOS that has global configurations for all the address families.
  • Configurations that have control over best path calculation, logging neighbor, TCP path Maximum Transition Unit (MTU) discovery, global timers for keepalive, hold time, and so on are available in the system context under the router BGP command mode.
  • BGP policy command support is under the address family mode per user context.
  • All standard communities and path attributes are supported.
  • Remotely Triggered Black Hole (RTBH) is supported using static null0 route configuration.
  • The next-hop information has been added to the input routing table itself in the Network Processor (NP). Previously this was available only in the output routing table. This change was completed in order to support the addition of BGP routes into the NP forwarding tables (since BGP routes do not have an egress interface identified in the CP, there is no way to determine which output routing table to update the next-hop information with).
  • Recursive Route Lookup is supported.
  • Redistribution with other protocols such as connected, static, Routing Information Protocol (RIP), Open Shortest Path First (OSPF), and Enhanced Interior Gateway Routing Protocol (EIGRP) is supported.
  • The no router bgp <as_no> [with confirmation prompt] command removes BGP configurations in all contexts.
  • Route control databases such as route-maps, access-list, prefix lists, community lists, and as-path access lists are virtualized and provided per context.
  • A new command, show asp table routing address <addr> resolved, is introduced in order to display the recursively resolved BGP routes in the NP forwarding table.
  • A new command, show bgp system-config, is introduced in multi-mode in order to display system context BGP configurations.
  • BGP with IPv6 is still not supported on the ASA.
  • BGP is not supported in clustering.

BGP and Memory Usage

The show route summary command is used in order to get the memory usage of individual routing protocols.

BGP and Failover

  • BGP is supported in Active/Standby and Active/Active HA configurations.
  • Only the Active unit listens on TCP port for BGP connections from peers.
  • The Standby unit does not participate in BGP peering, and hence does not listen on TCP port and does not maintain the BGP tables.
  • BGP route additions and deletions are replicated from the Active to the Standby unit.
  • Upon failover, the new Active unit listens on TCP port and initiates the BGP adjacency establishment with peers.
  • Without Nonstop Forwarding (NSF), adjacency establishment takes time with peer again after failover, within which BGP routes are not learned from the peer. This depends upon next BGP keepalive (default 60 seconds) from the peer for which the ASA responds with restore (RST), which leads to an old connection termination at the peer end and subsequently a next new connection is established.
  • During the BGP reconvergence period, the new Active unit continues to forward traffic with the previously replicated routes.
  • The BGP reconvergence timer period is currently set to seconds (the show route failover command shows the timer value) in order to give sufficient time for BGP to establish adjacencies and exchange routes with its peers.
  • After the BGP reconvergence timer expires, all the stale BGP routes are purged from the Routing Information Base (RIB).
  • The BGP router id is synced from the Active unit to the Standby unit. The BGP router id computation is disabled on the Standby unit.
  • The write standby command is strongly discouraged since the bulk sync does not happen in that case, which leads to the loss of dynamic routes on the standby.

Recursive Route Resolution

  • The egress interface information for BGP routes is not available in the CP (a direct consequence of the fact that BGP neighbors might be multiple hops away unlike other routing protocols).
  • The BGP routes with the next hop information are added to the NP input routing table, but they are not resolved yet.
  • When the first packet of a flow that matches a BGP route prefix enters the ASA in the slow path, the route is resolved and the egress interface determined by recursively looking up the NP input routing table.
  • Whenever the routing table changes (from the CP), a context-specific routing table timestamp is incremented.
  • When the next packet of a flow that matches a BGP route enters the ASA in the fast path, the ASA compares the timestamp of the route entry with the context-specific routing table timestamp. If the two timestamps do not match, the recursive route resolution process is initiated again and the route entry timestamp is updated to be the same as the routing table timestamp. You can verify timestamps with the show asp table routing command. The show asp table routing address <route> command shows the time stamp of a particular route entry and the show asp table routing command shows the routing table time stamp.
  • The recursive route resolution process for a destination prefix might be forced when you enter the show asp table routing address <addr> resolved command.
  • The depth of the recursive route lookups is currently restricted to four. Packets that require lookup after four are dropped with drop reason "No route to host (no-route)" and there is no special drop reason for recursive lookup failure.
  • Recursive route resolution is supported only for BGP routes (not static routes).

BGP Finite-State Machine Operation

BGP peers transition through several states before they become adjacent neighbors and exchange routing information. In each of the states, the peers must send and receive messages, process message data, and initialize resources before they proceed to the next state. This process is known as the BGP Finite-State Machine (FSM). If the process fails at any point, the session is torn down and the peers both transition back to an Idle state and begin the process again. Each time a session is torn down, all routes from the peer who is not up are removed from the tables, which causes downtime.

  1. IDLE - the ASA searches the routing table in order to see whether a route exists to reach the neighbor.
  2. CONNECT - the ASA found a route to the neighbor and has completed the three-way TCP handshake.
  3. ACTIVE - the ASA did not receive agreement on the parameters of establishment.
  4. OPEN SENT - the Open message is sent, with parameters for the BGP session.
  5. OPEN CONFIRM - the ASA received agreement on the parameters to establish a session.
  6. ESTABLISHED - peering is established and routing begins.

Configure

eBGP Configuration

BGP runs between routers in different autonomous systems. By default, in eBGP (peering in two different Autonomous Systems (ASs)) IP TTL is set to 1 which means peers are assumed to be directly connected. In this case, when a packet crosses one router, TTL becomes 0 and then the packet is dropped beyond that. In cases where the two neighbors are not directly connected (for example, peering with loopback interfaces or peering when devices are multiple hops away) you need to add the neighbor x.x.x.x ebgp-multihop <TTL> command. Otherwise, BGP neighborship will not be established. In addition, an eBGP peer advertises all the best routes it knows or it has learned from its peers (whether eBGP peer or iBGP peer), which is not in the case of iBGP.

Network Diagram

ASA-1 Configuration

router bgp
 bgp log-neighbor-changes
 bgp bestpath compare-routerid
 address-family ipv4 unicast
  neighbor remote-as
  neighbor activate
  network mask
  network mask
  network mask
  no auto-summary
  no synchronization
 exit-address-family
!

ASA-2 Configuration

router bgp
 bgp log-neighbor-changes
 bgp bestpath compare-routerid
 address-family ipv4 unicast
  neighbor remote-as
  neighbor activate
  network mask
  network mask
  network mask
  no auto-summary
  no synchronization
 exit-address-family
!

iBGP Configuration

In iBGP, there is no restriction that neighbors have to be connected directly. However, an iBGP peer will not advertise the prefix it learned from an iBGP peer to another iBGP peer. This restriction is there to avoid loops within the same AS. In order to clarify this, when a route is passed to a eBGP peer, the local AS number gets added to the prefix in as-path, so if we receive the same packet back that states our AS in as-path, we know that it is a loop, and that packet gets dropped. However, when a route is advertised to an iBGP peer, the local AS number is not added to as-path, since the peers are in same AS.

Network Diagram

ASA-1 Configuration

router bgp
 bgp log-neighbor-changes
 bgp bestpath compare-routerid
 address-family ipv4 unicast
  neighbor remote-as
  neighbor activate
  network mask
  network mask
  network mask
  no auto-summary
  no synchronization
 exit-address-family
!

ASA-2 Configuration

router bgp
 bgp log-neighbor-changes
 bgp bestpath compare-routerid
 address-family ipv4 unicast
  neighbor remote-as
  neighbor activate
  network mask
  network mask
  network mask
  no auto-summary
  no synchronization
 exit-address-family
!

Differences between eBGP and iBGP

  • eBGP peers between two different ASs, whereas iBGP is between the same AS.
  • Routes learned from eBGP peer are advertised to other peers (eBGP or iBGP). However, routes learned from an iBGP peer are not advertised to other iBGP peers.
  • By default, eBGP peers are set with TTL = 1, which means neighbors are assumed to be directly connected which is not in the case of iBGP. In order to change this behavior for eBGP, enter the neighbor x.x.x.x ebgp-multihop <TTL> command. Multihop is the term used in eBGP only.
  • eBGP routes have an administrative distance of 20, whereas iBGP is
  • Next hop remains unchanged when the route is advertised to an iBGP peer. However, it is changed when it is advertised to an eBGP peer by default.

eBGP-Multihop

An ASA with BGP neighborship with another ASA which is one hop away. For neighborship you need to make sure you have connectivity between neighbors. Ping in order to confirm connectivity. Ensure TCP port is allowed in both directions on the devices in between.

ASA-1 Configuration

router bgp
 bgp log-neighbor-changes
 bgp bestpath compare-routerid
 address-family ipv4 unicast
  neighbor remote-as
neighbor ebgp-multihop 2
neighbor activate
  network mask
  network mask
  network mask
  no auto-summary
  no synchronization
 exit-address-family
!

ASA-2 Configuration

router bgp
 bgp log-neighbor-changes
 bgp bestpath compare-routerid
 address-family ipv4 unicast
  neighbor remote-as
neighbor ebgp-multihop 2
neighbor activate
  network mask
  network mask
  network mask
  no auto-summary
  no synchronization
 exit-address-family
!

BGP Route-Filtering

With BGP you can control a routing update that is sent and received. In this example, a routing update is blocked for network prefix /24 which is behind ASA For route-filtering, you can only use STANDARDACL.

access-list bgp-in line 1 standard deny
access-list bgp-in line 2 standard permit any4


router bgp
bgp log-neighbor-changes
bgp bestpath compare-routerid
address-family ipv4 unicast
neighbor remote-as
neighbor activate
network mask
network mask
network mask
distribute-list bgp-in in
no auto-summary
no synchronization
exit-address-family
!

Verify the routing table.

ASA-1(config)# show bgp cidr-only

BGP table version is 6, local router ID is
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> /24 0 0 i
*> /24 0 i
*> /24 0 0 i
*> /24 0 i
*> /16 0 i

Verify Access Control List (ACL) hitcounts.

ASA-1(config)# show access-list bgp-in
access-list bgp-in; 2 elements; name hash: 0x3f99de19
access-list bgp-in line 1 standard deny (hitcnt=1) 0xb5abad25
access-list bgp-in line 2 standard permit any4 (hitcnt=4) 0x59d

Similarly, you can use an ACL in order to filter what is sent with "out" in the distribute-list command.

ASA BGP Configuration in Multi-Context

BGP is supported in multi-context. In the case of multi-context you first need to define the BGP router process in system context. If you try to create a BGP process without defining it in system context, you get this error.

ASA-1/admin(config)# router bgp
%BGP process cannot be created in non-system context
ERROR: Unable to create router process

First we Need to define it in system context.

ASA-1/admin(config)#changeto context system
ASA-1(config)# router bgp
ASA-1(config-router)#exit

Now create bgp process in admin context.

ASA-1(config)#changeto context admin
ASA-1/admin(config)# router bgp
ASA-1/admin(config-router)#

Verify

Verify eBGP Neighborship

Verify the TCP connection on port

ASA-1(config)# show asp table socket

Protocol  Socket    State      Local Address                    Foreign Address
SSL         LISTEN                       *
TCP       e8  LISTEN                       *
TCP       cd8  ESTAB                     
SSL         LISTEN                     *

Show the BGP neighbors.

ASA-1(config)# show bgp neighbors

BGP neighbor is ,  context single_vf,  remote AS , external link >> eBGP
  BGP version 4, remote router ID
  BGP state = Established, up for
  Last read , last write , hold time is , keepalive interval is
60 seconds

  Neighbor sessions:
    1 active, is not multisession capable (disabled)
  Neighbor capabilities:
    Route refresh: advertised and received(new)
    Four-octets ASN Capability: advertised and received
    Address family IPv4 Unicast: advertised and received
    Multisession Capability:
  Message statistics:
    InQ depth is 0
    OutQ depth is 0

                   Sent       Rcvd
    Opens:         1          1
    Notifications: 0          0
    Updates:       2          2
    Keepalives:    5          5
    Route Refresh: 0          0
    Total:         8          8
  Default minimum time between advertisement runs is 30 seconds

 For address family: IPv4 Unicast
  Session:
  BGP table version 7, neighbor version 7/0
  Output queue size : 0
  Index 1
  1 update-group member
                           Sent       Rcvd
  Prefix activity:               
    Prefixes Current:      3          3          (Consumes bytes)
    Prefixes Total:        3          3
    Implicit Withdraw:     0          0
    Explicit Withdraw:     0          0
    Used as bestpath:      n/a        3
    Used as multipath:     n/a        0

                                Outbound    Inbound
  Local Policy Denied Prefixes:    
    Bestpath from this peer:     3          n/a
    Total:                       3          0
  Number of NLRIs in the update sent: max 3, min 0

  Address tracking is enabled, the RIB does have a route to
  Connections established 1; dropped 0
  Last reset never
  Transport(tcp) path-mtu-discovery is enabled
  Graceful-Restart is disabled

BGP Routes

ASA-1 Configuration

ASA-1(config)# show route bgp

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is to network

B        [20/0] via ,
B        [20/0] via ,
B        [20/0] via ,

ASA-2 Configuration

ASA-2# show route bgp

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is not set

B [20/0] via ,
B [20/0] via ,
B [20/0] via ,

In order to see routes for a specfic ASA, enter the show route bgp <AS-No.> command.

ASA-1(config)# show route bgp ?

exec mode commands/options:
    Autonomous system number
  |    Output modifiers
  <cr>

Specific eBGP Route Detail

ASA-1(config)# show route

Routing entry for
  Known via "bgp ", distance 20, metric 0
  Tag , type external
  Last update from ago
  Routing Descriptor Blocks:
  * , from , ago
      Route metric is 0, traffic share count is 1
      AS Hops > ASA HOP is one
      Route tag
      MPLS label: no label string providedASA-1(config)# show bgp cidr-only

BGP table version is 7, local router ID is
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop        Metric LocPrf Weight  Path
*> /24              0             0  i
*> /24                 0           i
*> /24             0             0  i
*> /24                 0           i
*> /24             0             0  i

BGP Summary

ASA-1(config)# show bgp summary
BGP router identifier , local AS number
BGP table version is 7, main routing table version 7
6 network entries using bytes of memory
6 path entries using bytes of memory
2/2 BGP path/bestpath attribute entries using bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using total bytes of memory
BGP activity 6/0 prefixes, 6/0 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
     4          16      17             7    0    0   3

In Version , a new command, show route summary, has been introduced.

ASA-1(config)# show route summary

IP routing table maximum-paths is 3
Route Source    Networks    Subnets     Replicates  Overhead    Memory (bytes)
connected       0           8           0                   
static          2           5           0                   
ospf 1          0           0           0           0           0
  Intra-area: 0 Inter-area: 0 External 0 External 0
  NSSA External 0 NSSA External 0
bgp          0           3           0                   
  External: 3 Internal: 0 Local: 0
internal        7                                              
Total           9           16          0                  

Verify iBGP Neighborship

ASA-1(config)# show bgp neighbors

BGP neighbor is ,  context single_vf,  remote AS , internal link >> iBGP
  BGP version 4, remote router ID
  BGP state = Established, up for
  Last read , last write , hold time is , keepalive interval is
60 seconds
  Neighbor sessions:
    1 active, is not multisession capable (disabled)
  Neighbor capabilities:
    Route refresh: advertised and received(new)
    Four-octets ASN Capability: advertised and received
    Address family IPv4 Unicast: advertised and received
    Multisession Capability:
  Message statistics:
    InQ depth is 0
    OutQ depth is 0

                   Sent       Rcvd
    Opens:         1          1
    Notifications: 0          0
    Updates:       2          2
    Keepalives:    5          5
    Route Refresh: 0          0
    Total:         8          8
  Default minimum time between advertisement runs is 30 seconds

 For address family: IPv4 Unicast
  Session:
  BGP table version 7, neighbor version 7/0
  Output queue size : 0
  Index 1
  1 update-group member
                           Sent       Rcvd
  Prefix activity:               
    Prefixes Current:      3          3          (Consumes bytes)
    Prefixes Total:        3          3
    Implicit Withdraw:     0          0
    Explicit Withdraw:     0          0
    Used as bestpath:      n/a        3
    Used as multipath:     n/a        0

                                Outbound    Inbound
  Local Policy Denied Prefixes:    
    Bestpath from this peer:     3          n/a
    Total:                       3          0
  Number of NLRIs in the update sent: max 3, min 0

  Address tracking is enabled, the RIB does have a route to
  Connections established 1; dropped 0
  Last reset never
  Transport(tcp) path-mtu-discovery is enabled
  Graceful-Restart is disabled

Specific iBGP Route Detail

ASA-1(config)# show route

Routing entry for
Known via "bgp ", distance 20, metric 0, type internal
Last update from ago
Routing Descriptor Blocks:
* , from , ago
Route metric is 0, traffic share count is 1
AS Hops 0 >> ASA HOP is 0 as it's internal route
MPLS label: no label string provided

TTL Value for BGP Packets

By default, BGP neighbors have to be directly connected. That is because the TTL value for BGP packets is always 1 (default). So in case a BGP neighbor is not directly connected, you need to define a BGP multi-hop value that depends upon how many hops are in throughout the path.

Here is an example of a TTL value case of directly connected:

ASA-1(config)#show cap bgp detail

  5: 6ca1fe3 a0cf.5b5c 0x Length: 70
      > S [tcp sum ok] (0)
win <mss ,nop,nop,timestamp 0> (DF) [tos 0xc0]  [ttl 1] (id )

  6: a0cf.5b5c 6ca1fe3 0x Length: 58
      > S [tcp sum ok] (0)
ack win <mss > [tos 0xc0]  [ttl 1] (id )

  7: 6ca1fe3 a0cf.5b5c 0x Length: 54
      > . [tcp sum ok] (0)
ack win (DF) [tos 0xc0]  [ttl 1] (id )

If neighbors are not directly connected then you need to enter the bgp multihop command in order to define how many HOPS a neighbor is to increase the TTL value in the IP header.

Here is an example of a TTL value in case of multi-hop (in this case BGP neighbor is 1 HOP away):

ASA-1(config)#show cap bgp detail

5: 6ca1fe3 a0cf.5b5c 0x Length: 70
      > S [tcp sum ok] (0)
win <mss ,nop,nop,timestamp 0> (DF) [tos 0xc0]  (ttl 2, id )


   6: a0cf.5b5c 6ca1fe3 0x Length: 70 >
S [tcp sum ok] (0) ack win <mss ,nop,nop,
timestamp > (DF) [tos 0xac]  [ttl 1] (id )


   7: 6ca1fe3 a0cf.5b5c 0x Length: 66
      > . [tcp sum ok] (0) ack 1
win <nop,nop,timestamp > (DF) [tos 0xc0]  (ttl 2, id )

Recursive Route Resolution Process 

ASA-1(config)# show asp table routing
route table timestamp: 66
in identity
in identity
in via , outside
in via , DMZ
in identity
in identity
in identity
in via , outside (resolved, timestamp: 66)
in via , outside (resolved, timestamp: 64)
in via , outside (resolved, timestamp: 65)

in outside
in via , outside
in via , outside
in via , DMZ
in inside
in management
in DMZ

ASA BGP and Graceful Restart Capability

The BGP feature in ASA Version does not support graceful restart option negotiated in BGP OPEN Message. When a peer device sends a BGP OPEN message, the ASA drops the Update packet and sends a BGP NOTIFICATION message. These syslog messages are seen on the ASA:

%ASA neighbor Down BGP Notification sent
%ASA sent to neighbor /11 (invalid or corrupt AS path) 9 bytes
fc08
%ASA unsupported or mal-formatted message received from

There is nothing wrong with the AS_PATH Attribute. This is because the ASA does not support the Graceful Restart capability in Version This has been observed with Nexus devices as they negotiate the Graceful Restart capability by default. The workaround to fix this issue is to disable the Graceful Restart capability on the peer device. See the example shown here. On the Nexus , enter these commands:

inside-N5K(config)# router bgp
inside-N5K(config-router)# no graceful-restar

See Release Notes for the Cisco ASA Series, (x) for more information.

BGP support for nonstop forwarding We added support for BGP Nonstop Forwarding. We introduced the following new commands: bgp graceful-restart, neighbor ha-mode graceful-restart

Troubleshoot

  • After configuration you need to ensure both devices have connectivity. Verify ICMP and TCP port connectivity.
  • If the BGP peers are not directly connected, then ensure you have eBGP multihop configured.
  • If connectivity is correct, the TCP socket will be in the ESTAB state in the show asp table socket command output. ASA-1(config)# show asp table socket

    Protocol  Socket    State      Local Address                    Foreign Address
    SSL         LISTEN                       *
    TCP       e8  LISTEN                       *
    TCP       cd8  ESTAB                     
    SSL         LISTEN                     *
  • After a 3-way handshake, both peers exchange BGP OPEN messages and negotiate parameters.

  • After the parameter exchange, both peers exchange routing information with a BGP UPDATE message.

    %ASA Built local-host identity
    %ASA Built local-host outside
    %ASA Built outbound TCP connection 14 for outside/
    (/) to identity/ (/)
    %ASA neighbor Up

If neighborship is not formed even after a successful TCP 3-way handshake, then the issue is with BGP FSM. Collect a packet capture and syslogs from the ASA and verify which state you have issues with.

Debug

Note: Refer to Important Information on Debug Commands before you use debug commands.

Enter the debug ip bgp command in order to troubleshoot neighborship and routing update related issues.

ASA-1(config)# debug ip bgp ?

exec mode commands/options:
A.B.C.D BGP neighbor address
events BGP events
in BGP Inbound information
ipv4 Address family
keepalives BGP keepalives
out BGP Outbound information
range BGP dynamic range
rib-filter Next hop route watch filter events
updates BGP updates
<cr>

Enter the debug ip bgp event command in order to troubleshoot neighborship related issues.

BGP: active went from Idle to Active
BGP: open active, local address

BGP: ses global (0xffecc) act Adding topology IPv4 Unicast:base
BGP: ses global (0xffecc) act Send OPEN
BGP: active went from Active to OpenSent
BGP: active sending OPEN, version 4, my as: , holdtime seconds,
ID cb

BGP: active rcv message type 1, length (excl. header) 34
BGP: ses global (0xffecc) act Receive OPEN
BGP: active rcv OPEN, version 4, holdtime seconds
BGP: active rcv OPEN w/ OPTION parameter len: 24
BGP: active rcvd OPEN w/ optional parameter type 2 (Capability) len 6
BGP: active OPEN has CAPABILITY code: 1, length 4
BGP: active OPEN has MP_EXT CAP for afi/safi: 1/1
BGP: active rcvd OPEN w/ optional parameter type 2 (Capability) len 2
BGP: active OPEN has CAPABILITY code: , length 0
BGP: active OPEN has ROUTE-REFRESH capability(old) for all address-families
BGP: active rcvd OPEN w/ optional parameter type 2 (Capability) len 2
BGP: active OPEN has CAPABILITY code: 2, length 0
BGP: active OPEN has ROUTE-REFRESH capability(new) for all address-families
BGP: active rcvd OPEN w/ optional parameter type 2 (Capability) len 6
BGP: active OPEN has CAPABILITY code: 65, length 4
BGP: active OPEN has 4-byte ASN CAP for:
BGP: active rcvd OPEN w/ remote AS , 4-byte remote AS
BGP: active went from OpenSent to OpenConfirm
BGP: active went from OpenConfirm to Established

Enter the debug ip bgp update command in order to troubleshoot routing update-related issues.

BGP: TX IPv4 Unicast Mem global Changing state from DOWN to WAIT
(pending advertised bit allocation).
BGP: TX IPv4 Unicast Grp global 4 Created.
BGP: TX IPv4 Unicast Wkr global 4 Cur Blocked (not in list).
BGP: TX IPv4 Unicast Wkr global 4 Ref Blocked (not in list).
BGP: TX IPv4 Unicast Rpl global 4 1 Created.
BGP: TX IPv4 Unicast Rpl global 4 1 Net bitfield index 0 allocated.
BGP: TX IPv4 Unicast Mem global 4 1 Added to group (now has 1 members).
BGP: TX IPv4 Unicast Mem global 4 1 Staying in WAIT state
(current walker waiting for net prepend).
BGP: TX IPv4 Unicast Top global Start net prepend.
BGP: TX IPv4 Unicast Top global Inserting initial marker.
BGP: TX IPv4 Unicast Top global Done net prepend (0 attrs).
BGP: TX IPv4 Unicast Grp global 4 Starting refresh after prepend completion.
BGP: TX IPv4 Unicast Wkr global 4 Cur Start at marker 1.
BGP: TX IPv4 Unicast Grp global 4 Message limit changed from to (used 0 + 0).
BGP: TX IPv4 Unicast Wkr global 4 Cur Unblocked
BGP: TX IPv4 Unicast Mem global 4 1 Changing state from WAIT to ACTIVE
(ready).
BGP: TX IPv4 Unicast Mem global 4 1 No refresh required.
BGP: TX IPv4 Unicast Top global Collection done on marker 1 after 0 net(s).
BGP(0): rcvd UPDATE w/ attr: nexthop , origin i, metric 0,
merged path , AS_PATH

BGP(0): rcvd /24
BGP(0): rcvd /24
BGP(0): rcvd /24
> Routes rcvd from peer
BGP: TX IPv4 Unicast Net global /32 Changed.
BGP: TX IPv4 Unicast Net global /24 Changed.
BGP: TX IPv4 Unicast Net global /24 Changed.
BGP(0): Revise route installing 1 of 1 routes for ->
(global) to main IP table
BGP: TX IPv4 Unicast Net global /24 RIB done.
BGP(0): Revise route installing 1 of 1 routes for ->
(global) to main IP table
BGP: TX IPv4 Unicast Net global /24 RIB done.
BGP(0): Revise route installing 1 of 1 routes for ->
(global) to main IP table
BGP: TX IPv4 Unicast Net global /24 RIB done.

BGP: TX IPv4 Unicast Tab RIB walk done version 4, added 1 topologies.
BGP: TX IPv4 Unicast Tab Ready in READ-WRITE.
BGP: TX IPv4 Unicast Tab RIB walk done version 4, added 1 topologies.
BGP: TX IPv4 Unicast Tab All topologies are EOR ready.
BGP: TX IPv4 Unicast Tab RIB walk done version 4, added 1 topologies.
BGP: TX IPv4 Unicast Tab Executing.
BGP: TX IPv4 Unicast Wkr global 4 Cur Processing.
BGP: TX IPv4 Unicast Wkr global 4 Cur Reached marker with version 1.
BGP: TX IPv4 Unicast Top global Appending nets from attr 0xffecc9b7b
BGP: TX IPv4 Unicast Wkr global 4 Cur Attr change from 0x to
0xffecc9b7b
BGP: TX IPv4 Unicast Wkr global 4 Cur Net /24 Skipped.
BGP: TX IPv4 Unicast Wkr global 4 Cur Net /24 Skipped.
BGP: TX IPv4 Unicast Wkr global 4 Cur Net /24 Skipped.
BGP: TX IPv4 Unicast Top global No attributes with modified nets.
BGP: TX IPv4 Unicast Top global Added tail marker with version 4.
BGP: TX IPv4 Unicast Wkr global 4 Cur Reached marker with version 4.
BGP: TX IPv4 Unicast Top global No attributes with modified nets.
BGP: TX IPv4 Unicast Wkr global 4 Cur Done (end of list), processed 1 attr(s),
0/3 net(s), 0 pos.
BGP: TX IPv4 Unicast Grp global 4 Checking EORs (0/1).
BGP: TX IPv4 Unicast Mem global 4 1 Send EOR.
BGP: TX IPv4 Unicast Grp global 4 Converged.
BGP: TX IPv4 Unicast Tab Processed 1 walker(s).
BGP: TX IPv4 Unicast Tab Generation completed.
BGP: TX IPv4 Unicast Top global Deleting first marker with version 1.
BGP: TX IPv4 Unicast Top global Collection reached marker 1 after 0 net(s).
BGP: TX IPv4 Unicast Top global First convergence done.
BGP: TX IPv4 Unicast Top global Deleting first marker with version 1.
BGP: TX IPv4 Unicast Top global Collection reached marker 1 after 0 net(s).
BGP: TX IPv4 Unicast Top global Collection done on marker 4 after 3 net(s).
BGP: TX IPv4 Unicast Top global Collection done on marker 4 after 0 net(s).
BGP: TX IPv4 Unicast Net global /24 Changed.
BGP: TX IPv4 Unicast Net global /24 Changed.
BGP: TX IPv4 Unicast Net global /24 Changed.
BGP(0): nettable_walker /24 route sourced locally
BGP: topo global:IPv4 Unicast:base Remove_fwdroute for /24
BGP: TX IPv4 Unicast Net global /24 RIB done.
BGP(0): nettable_walker /24 route sourced locally
BGP: topo global:IPv4 Unicast:base Remove_fwdroute for /24
BGP: TX IPv4 Unicast Net global /24 RIB done.
BGP(0): nettable_walker /24 route sourced locally
> Routes
advertised

BGP: topo global:IPv4 Unicast:base Remove_fwdroute for /24
BGP: TX IPv4 Unicast Net global /24 RIB done.
BGP: TX IPv4 Unicast Tab RIB walk done version 8, added 1 topologies.
BGP: TX IPv4 Unicast Tab Executing.
BGP: TX IPv4 Unicast Wkr global 4 Cur Processing.
BGP: TX IPv4 Unicast Top global Appending nets from attr 0xffecc9b7c
BGP: TX IPv4 Unicast Wkr global 4 Cur Attr change from 0x to
0xffecc9b7c
BGP: TX IPv4 Unicast Rpl global 4 1 Net /24 Set advertised bit (total 1).
BGP: TX IPv4 Unicast Wkr global 4 Cur Net /24 Formatted.
BGP: TX IPv4 Unicast Rpl global 4 1 Net /24 Set advertised bit (total 2).
BGP: TX IPv4 Unicast Wkr global 4 Cur Net /24 Formatted.
BGP: TX IPv4 Unicast Rpl global 4 1 Net /24 Set advertised bit (total 4).
BGP: TX IPv4 Unicast Wkr global 4 Cur Net /24 Formatted.

BGP: TX IPv4 Unicast Top global No attributes with modified nets.
BGP: TX IPv4 Unicast Top global Added tail marker with version 8.
BGP: TX IPv4 Unicast Wkr global 4 Cur Reached marker with version 8.
BGP: TX IPv4 Unicast Top global No attributes with modified nets.
BGP: TX IPv4 Unicast Wkr global 4 Cur Replicating.
BGP: TX IPv4 Unicast Wkr global 4 Cur Done (end of list), processed 1 attr(s),
4/4 net(s), 0 pos.
BGP: TX IPv4 Unicast Grp global 4 Start minimum advertisement timer (30 secs).
BGP: TX IPv4 Unicast Wkr global 4 Cur Blocked (minimum advertisement interval).
BGP: TX IPv4 Unicast Grp global 4 Converged.
BGP: TX IPv4 Unicast Tab Processed 1 walker(s).
BGP: TX IPv4 Unicast Tab Generation completed.
BGP: TX IPv4 Unicast Top global Deleting first marker with version 4.
BGP: TX IPv4 Unicast Top global Collection reached marker 4 after 0 net(s).
BGP: TX IPv4 Unicast Top global Collection done on marker 8 after 4 net(s).
BGP: TX IPv4 Unicast Top global Collection done on marker 8 after 0 net(s).
BGP: TX Member message pool under period (60 < ).
BGP: TX IPv4 Unicast Tab RIB walk done version 8, added 1 topologies.

Enter these commands in order to troubleshoot this feature:

  • show asp table socket
  • show bgp neighbor
  • show bgp Summary
  • show route bgp
  • show bgp cidr-only
  • show route summary
Sours: https://www.cisco.com/c/en/us/support/docs/security/asax-series-next-generation-firewalls/config-bgphtml
8-Configure BGP on ASA Firewall - Dynamic Routing on the ASA

These are the ones. I think he is so frail in mood. He didnt recognize me, he probably forgot. After all, after all, a year has passed, and during this time I gave in height and breadth (it's my love to.

You will also like:

Ru) BLACK QUARTER OF BLACK (part four) It was not difficult for Cutter to. Track down the kidnappers of Kelly Lindhow. Walking down the street on which the girl was seized, he asked some of the sellers of local shops and those who simply lived in the. Area about what had happened.



362 363 364 365 366