ASA Route Based VPN (BGP)

In the previous ASA Route Based VPN article, we only covered the basics of using a VTI and getting a tunnel to pass traffic using static routes. A lot of clients will be wanting to use a dynamic routing protocol, like BGP, to share the networks between peers. If your VPN is not currently a Route Based VPN (VTI) then I would recommend looking at the previous article before looking at this one with BGP.

Understanding your requirements

Figure out which networks in the local network should be advertised to the remote peer and learn what networks they may be advertising to the local environment. The configuration below will be using route-maps with specifically narrow prefix-lists to limit what the local ASA will learn. This will make sure that if the remote side accidentally advertises networks that overlap with the local environment, or with another peer on our ASA,  that traffic flow does not get interrupted causing any accidental downtime or issues. There may be times where the remote side is fully trusted so BGP can be the source of truth. This means that you will not need to update the ASA's prefix-lists when new networks are added to the remote side if a more open prefix-list is used. The issue with using a more open prefix-list is that it could allow for issues if wrong networks are advertised by the remote side.

VPN Configuration

Below is a sample existing VPN configuration on the ASA that we will be using for this configuration. At the moment, the tunnel may build but nothing is currently communicating over the tunnel as we have no routes using this VTI. As per the previous article, I am using an APIPA IP as the remote address of the VTI. The difference with this example is that the Remote side will NEED to have an IP in this IP range. BGP peering will not function if these IPs are not in the same network.

!Local Network: 192.168.100.0/24
!Remote Tunnel Address: 169.254.224.254

crypto ikev1 enable OUTSIDE
crypto ikev1 policy 1
encryption aes
hash sha
authentication pre-share
group 2
lifetime 86400

tunnel-group 50.56.228.50 type ipsec-l2l
tunnel-group 50.56.228.50 ipsec-attributes
ikev1 pre-shared-key Th1nkN3t$Ec

crypto ipsec ikev1 transform-set ESP-AES128-SHA esp-aes esp-sha-hmac

crypto ipsec profile ROUTE-BASED-PROFILE
  set ikev1 transform-set ESP-AES128-SHA
  set security-association lifetime seconds 28800
  set pfs group5

interface Tunnel0
   nameif ROUTE-BASED
   ip address 169.254.224.253 255.255.255.252
   tunnel source interface OUTSIDE
   tunnel destination 50.56.228.50
   tunnel mode ipsec ipv4
   tunnel protection ipsec profile ROUTE-BASED-PROFILE

BGP Configuration

Before we can begin configuring BGP, we should find an available AS number that can be used. 64512 - 65534 is reserved for Private use so these can be used if you do not have one already in mind. In this example, we will configure the local AS as 64512.

The remote end of the VPN has informed us that their internal network is 192.168.150.0/24 and that their AS number is 64513. With this information, we have enough to configure the local side of the BGP configuration. Since we do not want the Remote side to advertise anything more then just their 192.168.150.0/24, we will create the Inbound prefix-list with just the 192.168.150.0/24. The local prefix-list will only use the 192.168.100.0/24 as this is the only network we wish to share with the remote end of the VPN tunnel. These prefix-lists will be bound to route-maps which is how we will bind these prefix-lists to the BGP configuration.

prefix-list ThinkNetsec-IN seq 5 permit 192.168.150.0/24
prefix-list ThinkNetsec-OUT seq 5 permit 192.168.100.0/24
route-map ThinkNetsec-ROUTEMAP-IN permit 10
 match ip address prefix-list ThinkNetsec-IN
route-map ThinkNetsec-ROUTEMAP-OUT permit 10
 match ip address prefix-list ThinkNetsec-OUT

Now that the route-maps have been defined, we will create the BGP configuration which will reference these. Below is the configuration of BGP on our loca ASA. This was configured knowing that our local AS is 64512, remote AS is 65413 and that our neighbor is 169.254.224.254.

router bgp 64512
 bgp log-neighbor-changes
 address-family ipv4 unicast
  neighbor 169.254.224.254 remote-as 64513
  neighbor 169.254.224.254 timers 10 30 30
  neighbor 169.254.224.254 activate
  neighbor 169.254.224.254 route-map LAB1-LAB2-ROUTEMAP-IN in
  neighbor 169.254.224.254 route-map LAB1-LAB2-ROUTEMAP-OUT out
  redistribute connected
  redistribute static
  no auto-summary
  no synchronization
 exit-address-family

BGP Configuration Explained

Some of the above configuration is default configuration but I will break down what it is that we configured. First, we configure our local router BGP AS 65412 which drops the configuration into the router configuration. We specify that we are using the address-family of ipv4, which then drops us down again. In this sub configuration, we can define the neighbors and what we should be sending/learning from the neighbors.

I configured our remote neighbor as 169.254.224.254, our peers address over the tunnel, which is using the AS number of 65413. Route-maps are added to the neighbor followed by either in/out. The final variable of in/out tells the BGP configuration that the ASA will either be allowed to send the networks in the route-map (out) or learn networks that match the route-map (in).

The redistribute connected/static is what tells BGP to send all known static and directly connected networks to the neighbors configured in BGP. This is what makes BGP send our local 192.168.100.0/24 network to the Remote peers (neighbor). The outbound route-map applied to the neighbor is what filters these networks to what is just defined in the route-map. A route-map can also be placed in the redistribute commands. This will also limit what is shared from the connected/static networks but this will limit to all neighbors.

Validation

If everything goes well, you will see the following when issuing 'show bgp' and 'show route'

ASA-LAB1# show bgp

BGP table version is 11, local router ID is 192.168.100.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 50.57.228.144/28 0.0.0.0 0 32768 ?
*> 169.254.224.252/30
0.0.0.0 0 32768 ?
*> 192.168.100.0 0.0.0.0 0 32768 ?
*> 192.168.150.0 169.254.224.254 0 0 64513 ?

 

ASA-LAB1# show route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 50.57.228.145 to network 0.0.0.0

S* 0.0.0.0 0.0.0.0 [1/0] via 50.57.228.145, OUTSIDE
C 50.57.228.144 255.255.255.240 is directly connected, OUTSIDE
L 50.57.228.150 255.255.255.255 is directly connected, OUTSIDE
C 169.254.224.252 255.255.255.252 is directly connected, ROUTE-BASED
L 169.254.224.253 255.255.255.255 is directly connected, ROUTE-BASED
C 192.168.100.0 255.255.255.0 is directly connected, INSIDE
L 192.168.100.1 255.255.255.255 is directly connected, INSIDE
B 192.168.150.0 255.255.255.0 [20/0] via 169.254.224.254, 00:48:50

I may append more information to this article so follow back up for possible updates. Please comment below if you see any issues or if you would like more clarification. Feel free to contact me directly if you wish to reach out to me for help or if you have any questions.

Categories: ASAFirewallsVPN

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.