Direct Connect BGP with new Cisco ASA 9.2.1 code?

This topic contains 7 replies, has 4 voices, and was last updated by Mike Stephen Melissa Stephen 5 months, 4 weeks ago.

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • #100034477
    Mike Stephen
    Mike Stephen
    Participant

    Has anyone successfully set up a direct connect using Cisco ASA 9.2.1 that now has full BGP support? Any examples would be awesome.

    #100034478
    Mathew George
    Mathew George
    Participant

    Also would love to hear about this!

    #100034479
    Melissa Stephen
    Melissa Stephen
    Participant

    second this, Just installed the new BGP upgrade and eager to see how its working for people with AWS. Please list the ASA model and how many routes you are taking in.

    #100034480
    Saim Qadeer
    Saim Qadeer
    Participant

    I would love hear about it too. The current datacenter provider updated our Cisco ASA to supports BGP. But they insists to say that as AWS did not approved this model, they can not configure it.

    From AWS side I have opened a support ticket, and they suggests download a template file from another Cisco router and try to execute the commands in Cisco ASA. But unfortunately our current datacenter provider do not want to help us.

    #100034481
    Mike Stephen
    Mike Stephen
    Participant

    I also would like to get a VPN connection aka virtual private gateway set up using dynamic routing with BGP, using a Cisco ASA as the customer endpoint.

    I am using ASA software version 9.3(3) which supports BGP routing, whereas many earlier versions did not. I already have a static routing VPN configuration working well. However, I am interested in dynamic routing with BGP so we can have ASAs on different customer sites providing a resilient connection to AWS.

    There is a problem in that if you choose dynamic routing with BGP, AWS don’t provide an option to download a config for the ASA, only for ISR routers which follow a different approach in the config file e.g. tunnels are defined as interfaces, whereas they are not on the ASA.

    If I download the “generic” config from AWS I see the tunnel has a set of “inside” addresses:
    (addresses changed for security reasons)
    Outside IP Addresses:
    – Customer Gateway : 44.55.23.10
    – Virtual Private Gateway : 176.32.137.149
    Inside IP Addresses
    – Customer Gateway : 169.254.254.74/30
    – Virtual Private Gateway : 169.254.254.73/30

    I’ve been trying to “translate” the AWS-supplied config for the ISR to ASA format, but I don’t know what to do with these “inside” addresses which are used as the peers for BGP routing. The ASA config with static routes doesn’t use them.

    Does anyone have any ideas or better still, has anyone got BGP routing working on an ASA and could post an example config? Thanks.

    #100034482
    Melissa Stephen
    Melissa Stephen
    Participant

    From what I can see what you are requesting is not possible…

    The provided BGP configuration relies on there being a tunnel interface, which is not provided on the ASA. That said, it also seems like the Cisco provided ASA BGP example do not work with AWS either. The only way I have found is to use a Cisco Router, behind the firewall.

    Appreciating this increases costs, maybe you could get away with running VRF if you have an existing router you manage?

    #100034483
    Mike Stephen
    Mike Stephen
    Participant

    The conclusion is that Cisco ASA is a good platform for VPN to AWS, if you want to use static routes. However as you say, you can’t use it to VPN to AWS with dynamic routing via BGP over the tunnel, even though ASA software v9.x supports BGP.

    This is because AWS when using BGP is set up for “route-based VPN” which the ASA can’t do because it lacks tunnel interfaces. It can do “policy-based VPN” which works well with AWS in static route mode.

    AWS could change their offering to be compatible with VPN to ASA when using BGP, now that the latest ASA software supports it, but they haven’t done so as of yet.

    In the meantime as you say, if you want BGP over the VPN tunnel you can terminate the tunnel on some other Cisco router which will need the security feature set. I’ve seen both routers inside the firewall (allowing IPSEC through the firewall) and outside (e.g. the site Internet router) suggested. I’ll be looking at our options here. Meanwhile, thanks for the help!

    #100034484
    Melissa Stephen
    Melissa Stephen
    Participant

    Just another thought, you can fire up an Cisco ASA/Router instance within AWS, which would allow you acheive this. Unfortunately that costs monies for the physical hardware and licenses, but is a thought.

    Personally, I would be (and I am with my current client) pushing for BGP solution, ive tried it out in a sample lab, it really works and the failover is pretty awesome too.

    AJ

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.

Translate ยป