ASA Route Based VPN (BGP)
In the previous ASA Route Based VPN article, we only covered the basics of using a VTI and getting a tunnel to pass traffic using static routes. A lot of clients will be wanting to use a dynamic routing protocol, like BGP, to share the networks between peers. If your VPN is not currently a Route Based VPN (VTI) then I would recommend looking at the previous article before looking at this one with BGP.
Understanding your requirements
Figure out which networks in the local network should be advertised to the remote peer and learn what networks they may be advertising to the local environment. The configuration below will be using route-maps with specifically narrow prefix-lists to limit what the local ASA will learn. This will make sure that if the remote side accidentally advertises networks that overlap with the local environment, or with another peer on our ASA, that traffic flow does not get interrupted causing any accidental downtime or issues. There may be times where the remote side is fully trusted so BGP can be the source of truth. This means that you will not need to update the ASA's prefix-lists when new networks are added to the remote side if a more open prefix-list is used. The issue with using a more open prefix-list is that it could allow for issues if wrong networks are advertised by the remote side.
Below is a sample existing VPN configuration on the ASA that we will be using for this configuration. At the moment, the tunnel may build but nothing is currently communicating over the tunnel as we have no routes using this VTI. As per the previous article, I am using an APIPA IP as the remote address of the VTI. The difference with this example is that the Remote side will NEED to have an IP in this IP range. BGP peering will not function if these IPs are not in the same network.
!Local Network: 192.168.100.0/24 !Remote Tunnel Address: 169.254.224.254 crypto ikev1 enable OUTSIDE crypto ikev1 policy 1 encryption aes hash sha authentication pre-share group 2 lifetime 86400 tunnel-group 184.108.40.206 type ipsec-l2l tunnel-group 220.127.116.11 ipsec-attributes ikev1 pre-shared-key Th1nkN3t$Ec crypto ipsec ikev1 transform-set ESP-AES128-SHA esp-aes esp-sha-hmac crypto ipsec profile ROUTE-BASED-PROFILE set ikev1 transform-set ESP-AES128-SHA set security-association lifetime seconds 28800 set pfs group5 interface Tunnel0 nameif ROUTE-BASED ip address 169.254.224.253 255.255.255.252 tunnel source interface OUTSIDE tunnel destination 18.104.22.168 tunnel mode ipsec ipv4 tunnel protection ipsec profile ROUTE-BASED-PROFILE
Before we can begin configuring BGP, we should find an available AS number that can be used. 64512 - 65534 is reserved for Private use so these can be used if you do not have one already in mind. In this example, we will configure the local AS as 64512.
The remote end of the VPN has informed us that their internal network is 192.168.150.0/24 and that their AS number is 64513. With this information, we have enough to configure the local side of the BGP configuration. Since we do not want the Remote side to advertise anything more then just their 192.168.150.0/24, we will create the Inbound prefix-list with just the 192.168.150.0/24. The local prefix-list will only use the 192.168.100.0/24 as this is the only network we wish to share with the remote end of the VPN tunnel. These prefix-lists will be bound to route-maps which is how we will bind these prefix-lists to the BGP configuration.
prefix-list ThinkNetsec-IN seq 5 permit 192.168.150.0/24 prefix-list ThinkNetsec-OUT seq 5 permit 192.168.100.0/24
route-map ThinkNetsec-ROUTEMAP-IN permit 10 match ip address prefix-list ThinkNetsec-IN route-map ThinkNetsec-ROUTEMAP-OUT permit 10 match ip address prefix-list ThinkNetsec-OUT
Now that the route-maps have been defined, we will create the BGP configuration which will reference these. Below is the configuration of BGP on our loca ASA. This was configured knowing that our local AS is 64512, remote AS is 65413 and that our neighbor is 169.254.224.254.
router bgp 64512 bgp log-neighbor-changes address-family ipv4 unicast neighbor 169.254.224.254 remote-as 64513 neighbor 169.254.224.254 timers 10 30 30 neighbor 169.254.224.254 activate neighbor 169.254.224.254 route-map LAB1-LAB2-ROUTEMAP-IN in neighbor 169.254.224.254 route-map LAB1-LAB2-ROUTEMAP-OUT out redistribute connected redistribute static no auto-summary no synchronization exit-address-family
BGP Configuration Explained
Some of the above configuration is default configuration but I will break down what it is that we configured. First, we configure our local router BGP AS 65412 which drops the configuration into the router configuration. We specify that we are using the address-family of ipv4, which then drops us down again. In this sub configuration, we can define the neighbors and what we should be sending/learning from the neighbors.
I configured our remote neighbor as 169.254.224.254, our peers address over the tunnel, which is using the AS number of 65413. Route-maps are added to the neighbor followed by either in/out. The final variable of in/out tells the BGP configuration that the ASA will either be allowed to send the networks in the route-map (out) or learn networks that match the route-map (in).
The redistribute connected/static is what tells BGP to send all known static and directly connected networks to the neighbors configured in BGP. This is what makes BGP send our local 192.168.100.0/24 network to the Remote peers (neighbor). The outbound route-map applied to the neighbor is what filters these networks to what is just defined in the route-map. A route-map can also be placed in the redistribute commands. This will also limit what is shared from the connected/static networks but this will limit to all neighbors.
If everything goes well, you will see the following when issuing 'show bgp' and 'show route'
ASA-LAB1# show bgp BGP table version is 11, local router ID is 192.168.100.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 22.214.171.124/28 0.0.0.0 0 32768 ? *> 169.254.224.252/30 0.0.0.0 0 32768 ? *> 192.168.100.0 0.0.0.0 0 32768 ? *> 192.168.150.0 169.254.224.254 0 0 64513 ?
ASA-LAB1# show route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, + - replicated route Gateway of last resort is 126.96.36.199 to network 0.0.0.0 S* 0.0.0.0 0.0.0.0 [1/0] via 188.8.131.52, OUTSIDE C 184.108.40.206 255.255.255.240 is directly connected, OUTSIDE L 220.127.116.11 255.255.255.255 is directly connected, OUTSIDE C 169.254.224.252 255.255.255.252 is directly connected, ROUTE-BASED L 169.254.224.253 255.255.255.255 is directly connected, ROUTE-BASED C 192.168.100.0 255.255.255.0 is directly connected, INSIDE L 192.168.100.1 255.255.255.255 is directly connected, INSIDE B 192.168.150.0 255.255.255.0 [20/0] via 169.254.224.254, 00:48:50
I may append more information to this article so follow back up for possible updates. Please comment below if you see any issues or if you would like more clarification. Feel free to contact me directly if you wish to reach out to me for help or if you have any questions.