May 26, 2018 at 1:56 pm #100034477
Has anyone successfully set up a direct connect using Cisco ASA 9.2.1 that now has full BGP support? Any examples would be awesome.May 26, 2018 at 1:56 pm #100034478
Also would love to hear about this!May 26, 2018 at 1:56 pm #100034479
second this, Just installed the new BGP upgrade and eager to see how its working for people with AWS. Please list the ASA model and how many routes you are taking in.May 26, 2018 at 1:57 pm #100034480
I would love hear about it too. The current datacenter provider updated our Cisco ASA to supports BGP. But they insists to say that as AWS did not approved this model, they can not configure it.
From AWS side I have opened a support ticket, and they suggests download a template file from another Cisco router and try to execute the commands in Cisco ASA. But unfortunately our current datacenter provider do not want to help us.May 26, 2018 at 1:58 pm #100034481
I also would like to get a VPN connection aka virtual private gateway set up using dynamic routing with BGP, using a Cisco ASA as the customer endpoint.
I am using ASA software version 9.3(3) which supports BGP routing, whereas many earlier versions did not. I already have a static routing VPN configuration working well. However, I am interested in dynamic routing with BGP so we can have ASAs on different customer sites providing a resilient connection to AWS.
There is a problem in that if you choose dynamic routing with BGP, AWS don’t provide an option to download a config for the ASA, only for ISR routers which follow a different approach in the config file e.g. tunnels are defined as interfaces, whereas they are not on the ASA.
If I download the “generic” config from AWS I see the tunnel has a set of “inside” addresses:
(addresses changed for security reasons)
Outside IP Addresses:
– Customer Gateway : 184.108.40.206
– Virtual Private Gateway : 220.127.116.11
Inside IP Addresses
– Customer Gateway : 169.254.254.74/30
– Virtual Private Gateway : 169.254.254.73/30
I’ve been trying to “translate” the AWS-supplied config for the ISR to ASA format, but I don’t know what to do with these “inside” addresses which are used as the peers for BGP routing. The ASA config with static routes doesn’t use them.
Does anyone have any ideas or better still, has anyone got BGP routing working on an ASA and could post an example config? Thanks.May 26, 2018 at 1:58 pm #100034482
From what I can see what you are requesting is not possible…
The provided BGP configuration relies on there being a tunnel interface, which is not provided on the ASA. That said, it also seems like the Cisco provided ASA BGP example do not work with AWS either. The only way I have found is to use a Cisco Router, behind the firewall.
Appreciating this increases costs, maybe you could get away with running VRF if you have an existing router you manage?May 26, 2018 at 1:59 pm #100034483
The conclusion is that Cisco ASA is a good platform for VPN to AWS, if you want to use static routes. However as you say, you can’t use it to VPN to AWS with dynamic routing via BGP over the tunnel, even though ASA software v9.x supports BGP.
This is because AWS when using BGP is set up for “route-based VPN” which the ASA can’t do because it lacks tunnel interfaces. It can do “policy-based VPN” which works well with AWS in static route mode.
AWS could change their offering to be compatible with VPN to ASA when using BGP, now that the latest ASA software supports it, but they haven’t done so as of yet.
In the meantime as you say, if you want BGP over the VPN tunnel you can terminate the tunnel on some other Cisco router which will need the security feature set. I’ve seen both routers inside the firewall (allowing IPSEC through the firewall) and outside (e.g. the site Internet router) suggested. I’ll be looking at our options here. Meanwhile, thanks for the help!May 26, 2018 at 1:59 pm #100034484
Just another thought, you can fire up an Cisco ASA/Router instance within AWS, which would allow you acheive this. Unfortunately that costs monies for the physical hardware and licenses, but is a thought.
Personally, I would be (and I am with my current client) pushing for BGP solution, ive tried it out in a sample lab, it really works and the failover is pretty awesome too.
You must be logged in to reply to this topic.