Cisco ASA: How to Configure BGP trough ASA

adminkasep

Overview

  • To establish BGP trough ASA there are some pre-requisites
    • reachability to neighbor
    • randomizations TCP seq number should be disabled (if BGP neighborship using password MD5)
    • option 19 must be enabled (if BGP neighborship using password MD5)
    • TCP port 179 need to be enabled, from lower to higher.

Overview Class Map, Policy Maps ASA

To define all those pre-requisites we need to know class map and policy maps first

  • Class map are use to match traffic at layer 3, layer 3/L4, Layer 7
  • Policy map are used to take action for certain type of traffic.
  • ASA support L3,L7 class map.
  • ASA support L3, L7 Policy Map
  • policy maps layer 7 can’t be apply in interface, instead its nested with policy map L3/L4
  • class map L7.
    • use only to match l7
    • it can only be called in L7 poliy map
    • command: policy map inspect <service> <name>
  • class map L3/L4.
    • use only to match L3/L4
    • it can only be called in L7 policy map
    • command: policy map inspect <name>
  • Policy Maps L3/L4
    • used to apply action at L3/L4
    • its applied to interface
    • command is Policy-map (Name)
  • Policy Maps L7
    • used to apply action at L7
    • it cannot be applied to interface
    • its applied to L3/L4 policy map
    • command policy map type inspect.

Topology

Testing Scenarios

  • Configure BGP connectivity between R2 and R3.
  • Use loopback as a source for communication between router.
  • Configure BGP password R2 and R3 is cisco

Configurations

R2

router bgp 1
 neighbor 3.3.3.3 remote-as 2
 neighbor 3.3.3.3 password cisco
 neighbor 3.3.3.3 ttl-security hops 250
 neighbor 3.3.3.3 update-source Loopback0
!

R3

router bgp 2
 neighbor 2.2.2.2 remote-as 1
 neighbor 2.2.2.2 password cisco
 neighbor 2.2.2.2 ttl-security hops 250
 neighbor 2.2.2.2 update-source Loopback0
!

Cisco ASA

Because the requirement is to use password between BGP router we need to define class map and policy map to allow the BGP tcp options.

class-map BGP
 match port tcp eq bgp
tcp-map TMAP
  tcp-options range 19 19 allow
policy-map BGP-Policy
 class BGP # define class-map here
  set connection random-sequence-number disable # disable tcp randomizations
  set connection advanced-options TMAP # allow tcp option here

apply the policy map into outside interface

service-policy BGP-Policy interface OUTSIDE

Verifications

we can check the BGP neighbors status on each router

show ip bgp sum

Conclusions

we can established BGP connection with password set, just to be reminder the BGP md5 password is used:

  • randomizations TCP seq number should be disabled (if BGP neighborship using password MD5)
  • option 19 must be enabled (if BGP neighborship using password MD5)

use class-map and policy map to solve the issue

If you found this useful, subscribe to newsletter

Related Posts