10-30-2013 08:00 PM - edited 03-11-2019 07:58 PM
Hello Forum,
I would like to know why is the limitation of Cisco ASA in multicontext mode that it is not able to run routing protocols like OSPF, BGP?
if I see SRX firewall, you can cut that virtually and can configure BGP, OSPF routing instances with virtual firewall.
is there any possibility in ASA product to run OSPF, BGP in multicontext mode?
comments are welcome...
Thanks
Dave
10-30-2013 08:34 PM
Hello Jigar Dave,
ASA does support routing protocols on version 9.0 or above. At least OSPFv2 and EIGRP
Reference:
http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.html
Look under Multiple Context Mode Features.
Unfortunately BGP is not supported by the ASA at all, not even on single context.
Hope this helps!
-Eddy Duran
10-30-2013 08:40 PM
Hi Eddy,
I know routing protocols are not supported in multicontext mode in ASA.
even BGP is not supported at all.
but I would like to know that "why"?
if as customer, one need to buy a firewall that supports various departments of an organization, SRX is giving that facility to differentiate depts. by OSPF/BGP area. but in ASA it is not possible.
looking for an interesting discussion on this topic.
Dave
04-28-2014 05:03 PM
I heard buzz a few months ago that BGP support is on the feature map for the ASA. I would assume this is software version 10.X running on the next-gen family (5515x, etc).
BGP support would be very useful for not only load-balancing between multiple ISPs, but also load balancing across multiple VPN tunnels. The Palo Alto firewalls do this very well and I'm thinking that's what finally put the pressure on Cisco to have a comparable product.
06-04-2014 04:28 PM
BGP now supported in ASA version 9.2.1 :)
http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/release/notes/asarn92.html
9.2.1 is currently only offered on the next-gen platforms (5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x)
04-29-2014 03:34 AM
To answer your question, Cisco wants its customers (or at least used to want its customers) to use the ASA as a firewall and not a router. So you would have one device that is your firewall and one device that is your router. I suppose they started to realize that customers are looking for an all in one device, so they started adding routing features to the ASA, and firewall features to the routers, yet the firewall still doesn't have all the routing capabilities of a router and the router doesn't have all the firewalling capabilities of the ASA.
You can speculate that this is a marketing ploy so you are required to purchase more devices, or you could look at it in such a way that it is best practice to seperate all functionality in the instance that a device does get hacked.
--
Please remember to select a correct answer and rate
04-29-2014 05:20 AM
BGP support was introduced on ASA software 9.2, released just last week.
I would tend to agree with Marius on the advisability of routing with an ASA (or "firewalling" with a router).
Just because you CAN, doesn't mean you SHOULD.
06-05-2014 03:08 AM
Just to add documentation to what Marvin mentioned about BGP in 9.2 version:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/release/notes/asarn92.html#pgfId-586890
--
Please remember to select a correct answer and rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide