To answer your question,

Jigar Dave · ‎10-30-2013

Hello Forum,

I would like to know why is the limitation of Cisco ASA in multicontext mode that it is not able to run routing protocols like OSPF, BGP?

if I see SRX firewall, you can cut that virtually and can configure BGP, OSPF routing instances with virtual firewall.

is there any possibility in ASA product to run OSPF, BGP in multicontext mode?

comments are welcome...

Thanks

Dave

Eddy Duran · ‎10-30-2013

Hello Jigar Dave,

ASA does support routing protocols on version 9.0 or above. At least OSPFv2 and EIGRP

Reference:

http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.html

Look under Multiple Context Mode Features.

Unfortunately BGP is not supported by the ASA at all, not even on single context.

Hope this helps!

-Eddy Duran

Jigar Dave · ‎10-30-2013

Hi Eddy,

I know routing protocols are not supported in multicontext mode in ASA.

even BGP is not supported at all.

but I would like to know that "why"?

if as customer, one need to buy a firewall that supports various departments of an organization, SRX is giving that facility to differentiate depts. by OSPF/BGP area. but in ASA it is not possible.

looking for an interesting discussion on this topic.

Dave

johnnylingo · ‎04-28-2014

I heard buzz a few months ago that BGP support is on the feature map for the ASA. I would assume this is software version 10.X running on the next-gen family (5515x, etc).

BGP support would be very useful for not only load-balancing between multiple ISPs, but also load balancing across multiple VPN tunnels. The Palo Alto firewalls do this very well and I'm thinking that's what finally put the pressure on Cisco to have a comparable product.

johnnylingo · ‎06-04-2014

BGP now supported in ASA version 9.2.1 :)

http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/release/notes/asarn92.html

9.2.1 is currently only offered on the next-gen platforms (5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x)

Marius Gunnerud · ‎04-29-2014

To answer your question, Cisco wants its customers (or at least used to want its customers) to use the ASA as a firewall and not a router. So you would have one device that is your firewall and one device that is your router. I suppose they started to realize that customers are looking for an all in one device, so they started adding routing features to the ASA, and firewall features to the routers, yet the firewall still doesn't have all the routing capabilities of a router and the router doesn't have all the firewalling capabilities of the ASA.

You can speculate that this is a marketing ploy so you are required to purchase more devices, or you could look at it in such a way that it is best practice to seperate all functionality in the instance that a device does get hacked.

--

Please remember to select a correct answer and rate

--
Please remember to select a correct answer and rate helpful posts

Marvin Rhoads · ‎04-29-2014

BGP support was introduced on ASA software 9.2, released just last week.

I would tend to agree with Marius on the advisability of routing with an ASA (or "firewalling" with a router).

Just because you CAN, doesn't mean you SHOULD.

Marius Gunnerud · ‎06-05-2014

Just to add documentation to what Marvin mentioned about BGP in 9.2 version:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/release/notes/asarn92.html#pgfId-586890

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Cisco ASA - BGP or OSPF support on Multicontext Firewall?