So far, we have finished the configuration of R-NAT, R1 and R2. Let’s continue and complete the configuration of the remaining devices in our topology (Diagram 1). We’ll start with the ASA configuration.
The Cisco Adaptive Security Appliance (ASA) protects the inside network and DMZ. As our guide focuses on a multihoming configuration using BGP, we only cover the basic ASA configuration. It includes the access-lists configuration to allow BGP in all direction. In order to protect the enterprise network from advanced threats, application layer protocol inspection should be configured, in addition to the access-lists configuration.
interface GigabitEthernet0/0 description Link to CE-1 nameif OUTSIDE security-level 0 ip address 184.108.40.206 255.255.255.252 interface GigabitEthernet0/1 description Link to R1 nameif INSIDE security-level 100 ip address 220.127.116.11 255.255.255.252 interface GigabitEthernet0/2 description Link to DMZ nameif DMZ security-level 50 ip address 18.104.22.168 255.255.255.0Б.
Router R1 can initiate a TCP connection to CE-1 (22.214.171.124), destination TCP port 179 since R1 is connected to the interface Gi0/1 of ASA, configured with security level 100. Therefore, R1 can establish an iBGP adjacency with CE-1. However, we need to configure the access-list 1 (ACL1) that allows to initiate a TCP connection from CE-1 (outside) to R1 (inside), with the destination IP address 126.96.36.199 and TCP port 179. As the interface Gi0/0 is configured with a security level 0, we need to add the rule that permits traffic from CE-1 to DMZ router (188.8.131.52), with the destination TCP port 179. The statement permits traffic from the interface Gi0/0 with the security level 0 to the interface Gi0/2 with higher security level – 50. Therefore, CE-1 can initiate a TCP connection to the DMZ router.
access-list ACL1 extended permit tcp host 184.108.40.206 host 220.127.116.11 eq bgp access-list ACL1 extended permit tcp host 18.104.22.168 host 22.214.171.124 eq bgp
The ACL1 is applied on the outside interface (Gi0/0) in the inbound direction.
access-group ACL1 in interface OUTSIDE
The ACL2 contains a rule that permits TCP traffic from interface Gi0/2 connected to the DMZ and configured with security level 50, to the interface Gi0/1 with a level 100, destination IP 126.96.36.199 and TCP port 179 (BGP).
access-list ACL2 extended permit tcp host 188.8.131.52 host 184.108.40.206 eq bgp
The ACL2 is applied on the DMZ interface (Gi0/2) in the inbound direction.
access-group ACL2 in interface DMZ
ASA-1 is not participating in OSPF, so we need static routes in order to forward traffic to subnets that are outside the Gi0/1 interface. The subnets are NAT pools 220.127.116.11/24 (ISP-A), 18.104.22.168/24 (ISP-B), and 22.214.171.124/30, all routed via the next-hop IP address 126.96.36.199 (R1). The default route for forwarding outbound traffic to the Internet is configured with the next-hop 188.8.131.52 (CE-1).
route INSIDE 184.108.40.206 255.255.255.0 220.127.116.11 route INSIDE 18.104.22.168 255.255.255.0 22.214.171.124 route INSIDE 126.96.36.199 255.255.255.252 188.8.131.52 route OUTSIDE 0.0.0.0 0.0.0.0 184.108.40.206
interface GigabitEthernet0/0 description Link to CE-2 nameif OUTSIDE security-level 0 ip address 220.127.116.11 255.255.255.252 interface GigabitEthernet0/1 description Link to R2 nameif INSIDE security-level 100 ip address 18.104.22.168 255.255.255.252 interface GigabitEthernet0/2 description Link to DMZ nameif DMZ security-level 50 ip address 22.214.171.124 255.255.255.0
Access-lists configuration is similar to ASA-1. ACL1 permits BGP traffic from the outside BGP peer 126.96.36.199 (CE-1) to the peer 188.8.131.52 (inside) (R2) and to the peer 184.108.40.206 (DMZ) (router DMZ). ACL2 permits BGP traffic from a peer in DMZ interface to the inside R2.
access-list ACL1 extended permit tcp host 220.127.116.11 host 18.104.22.168 eq bgp access-list ACL1 extended permit tcp host 22.214.171.124 host 126.96.36.199 eq bgp access-list ACL2 extended permit tcp host 188.8.131.52 host 184.108.40.206 eq bgp
ACLs are applied in the inbound direction to the outside and DMZ interfaces.
access-group ACL1 in interface OUTSIDE access-group ACL2 in interface DMZ
We need to configure static routes to reach subnets behind the interface Gi0/1 and a default static route for outgoing traffic to the Internet.
route INSIDE 220.127.116.11 255.255.255.0 18.104.22.168 route INSIDE 22.214.171.124 255.255.255.252 126.96.36.199 route INSIDE 188.8.131.52 255.255.255.0 184.108.40.206 route OUTSIDE 0.0.0.0 0.0.0.0 220.127.116.11