In recent years, the concepts of Artificial Intelligence (AI) and Machine Learning (ML)...
So far, we have finished the configuration of R-NAT, R1 and R2. Let’s continue and complete the configuration of the remaining devices in our topology (Diagram 1). We’ll start with the ASA configuration.
ASA Configuration
The Cisco Adaptive Security Appliance (ASA) protects the inside network and DMZ. As our guide focuses on a multihoming configuration using BGP, we only cover the basic ASA configuration. It includes the access-lists configuration to allow BGP in all direction. In order to protect the enterprise network from advanced threats, application layer protocol inspection should be configured, in addition to the access-lists configuration.
ASA-1 Configuration
interface GigabitEthernet0/0 description Link to CE-1 nameif OUTSIDE security-level 0 ip address 193.0.0.6 255.255.255.252 interface GigabitEthernet0/1 description Link to R1 nameif INSIDE security-level 100 ip address 193.0.0.9 255.255.255.252 interface GigabitEthernet0/2 description Link to DMZ nameif DMZ security-level 50 ip address 195.0.1.1 255.255.255.0Б.
Router R1 can initiate a TCP connection to CE-1 (193.0.0.5), destination TCP port 179 since R1 is connected to the interface Gi0/1 of ASA, configured with security level 100. Therefore, R1 can establish an iBGP adjacency with CE-1. However, we need to configure the access-list 1 (ACL1) that allows to initiate a TCP connection from CE-1 (outside) to R1 (inside), with the destination IP address 193.0.0.10 and TCP port 179. As the interface Gi0/0 is configured with a security level 0, we need to add the rule that permits traffic from CE-1 to DMZ router (195.0.1.3), with the destination TCP port 179. The statement permits traffic from the interface Gi0/0 with the security level 0 to the interface Gi0/2 with higher security level – 50. Therefore, CE-1 can initiate a TCP connection to the DMZ router.
access-list ACL1 extended permit tcp host 193.0.0.5 host 193.0.0.10 eq bgp access-list ACL1 extended permit tcp host 193.0.0.5 host 195.0.1.3 eq bgp
The ACL1 is applied on the outside interface (Gi0/0) in the inbound direction.
access-group ACL1 in interface OUTSIDE
The ACL2 contains a rule that permits TCP traffic from interface Gi0/2 connected to the DMZ and configured with security level 50, to the interface Gi0/1 with a level 100, destination IP 193.0.0.10 and TCP port 179 (BGP).
access-list ACL2 extended permit tcp host 195.0.1.3 host 193.0.0.10 eq bgp
The ACL2 is applied on the DMZ interface (Gi0/2) in the inbound direction.
access-group ACL2 in interface DMZ
ASA-1 is not participating in OSPF, so we need static routes in order to forward traffic to subnets that are outside the Gi0/1 interface. The subnets are NAT pools 193.0.1.0/24 (ISP-A), 194.0.1.0/24 (ISP-B), and 193.0.0.12/30, all routed via the next-hop IP address 193.0.0.10 (R1). The default route for forwarding outbound traffic to the Internet is configured with the next-hop 193.0.0.5 (CE-1).
route INSIDE 193.0.1.0 255.255.255.0 193.0.0.10 route INSIDE 194.0.1.0 255.255.255.0 193.0.0.10 route INSIDE 193.0.0.12 255.255.255.252 193.0.0.10 route OUTSIDE 0.0.0.0 0.0.0.0 193.0.0.5
ASA-2 Configuration
interface GigabitEthernet0/0 description Link to CE-2 nameif OUTSIDE security-level 0 ip address 194.0.0.6 255.255.255.252 interface GigabitEthernet0/1 description Link to R2 nameif INSIDE security-level 100 ip address 194.0.0.9 255.255.255.252 interface GigabitEthernet0/2 description Link to DMZ nameif DMZ security-level 50 ip address 195.0.1.2 255.255.255.0
Access-lists configuration is similar to ASA-1. ACL1 permits BGP traffic from the outside BGP peer 194.0.0.5 (CE-1) to the peer 194.0.0.10 (inside) (R2) and to the peer 195.0.1.3 (DMZ) (router DMZ). ACL2 permits BGP traffic from a peer in DMZ interface to the inside R2.
access-list ACL1 extended permit tcp host 194.0.0.5 host 194.0.0.10 eq bgp access-list ACL1 extended permit tcp host 194.0.0.5 host 195.0.1.3 eq bgp access-list ACL2 extended permit tcp host 195.0.1.3 host 194.0.0.10 eq bgp
ACLs are applied in the inbound direction to the outside and DMZ interfaces.
access-group ACL1 in interface OUTSIDE access-group ACL2 in interface DMZ
We need to configure static routes to reach subnets behind the interface Gi0/1 and a default static route for outgoing traffic to the Internet.
route INSIDE 193.0.1.0 255.255.255.0 194.0.0.10 route INSIDE 194.0.0.12 255.255.255.252 194.0.0.10 route INSIDE 194.0.1.0 255.255.255.0 194.0.0.10 route OUTSIDE 0.0.0.0 0.0.0.0 194.0.0.5