Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Network Design with BGP and Active/Passive ASA's

The following diagram is showing what I "Plan" on doing or "Hope" I can do. This is the most complicated deployment I have taken on in my profession, and Honestly it is very exciting, but had some questions.

1. The network between the ASA's and Routers, is that suppose to be a Private network or Public Network? I have to assume Public because I want my ASA's to take care of the NAT.

2. ASA's are runing single context Active/Standby so what way will the ASA push out going traffic?

3. The routers need to know about each other in a BGP configuration, correct? We accomplish this using iBGP so will that traffic need to be allowed through my firewall to allow the routers to share that information, or should these routers be talking to each other outside the firewalls?

Is this design possible? I am sure there are limitations as always, just trying to wrap my head around the flow of traffic and where to start.

Any suggestions would be helpful.

Additional Details/Requirements -

BGP routers are 2921's that I have control of. Both routers have 4 port GigEtherswitches in them.

ASA's are Active/Passive and cannot be Active/Active due the limitations of the Active/Active Design (VPN limitations)

Both ISP's must be used for outbound traffic, I would like to be able to load balance, but can send some traffic one way and the rest of the traffic the other way based on Routes.

ISP's are not Symentrical, one is 50mbps and the other is 250mbps.

All NAT should take place at the ASA's

Additional Questions:

The routers that have gig etherswitches, can they run HSRP?

Should I be putting Layer 3 switches between the routers and the ASA's instead?

Where should I run my iBGP communication for the routers?

Community Member

Re: Network Design with BGP and Active/Passive ASA's

I have modified my design a bit based on what i know about routing/switching and BGP. Because both ISP's need to be in use at the same time I put a pair of layer 3 switches in between the Edge Routers and the ASA's. I think I will run HSRP on these switches. I was also thinking about uplinking the ASA's to each layer 3 device as well.

Network Design with BGP and Active/Passive ASA's


check this thread:

Regarding your queries:

1. as you mentioned that you want NAT to happen on the ASA, so you'd have to use a public subnet in between

2. With all 4 devices on the same subnet i.e router's inside & ASA's outside will be on same segment, the Active ASA can send the traffic to both Router 1 & router 2 based on the routes you have configured. Now in ASA you can define up to three equal cost default  route entries per device. Defining more than one equal cost default  route entry causes the traffic sent to the default route to be  distributed among the specified gateways. When defining more than one  default route, you must specify the same interface for each entry. this is only possible when all these tree next hops are in the same subnet.

so this will work for you as both the routers are in the same subnet and can be configured for load balancing/sharing

3. You don't need to allow anything on the ASA for iBGP session between routers as they would be on the same subnet and would not traverse the ASA

Hope it helps


Community Member

Network Design with BGP and Active/Passive ASA's

Neeraj -

Thanks for your response, I have been crazy trying to get some answers on the design portion of this setup. Now I was thinking to myself last night, is there any reason not to uplink each ASA to each layer 3 switch as well as each layer 3 switch being uplinked to each BGP router? Also I keep runnning into conversations on how outbound load balancing in BGP is not easy and is not really a dynamic process. Is this true?

I also am wondering that with these devices after the ASA's having a public address space, how do you manage these devices remotely and safely?

Community Member

Re: Network Design with BGP and Active/Passive ASA's

OK some interesting questions. Have you got an AS number and PI space? If you don't you may have some challenges.

Do you expect to get precise load sharing or are you not really bothered?

Are you planning to take the full Internet routing table etc.

Sent from Cisco Technical Support iPad

Community Member

Re: Network Design with BGP and Active/Passive ASA's

Attached is my most recent design idea. I am a bit confused about the layer 3 switches in between the BGP routers and the ASA's, because I know in order to run HSRP, they need an IP address, but are these IPs Public? Separate VLAN?

We have our own AS number and full /24 block from our Primary ISP who is allowing our secondary ISP to advertise the block. I am not looking for percise load sharing, but load sharing, the two links from the ISP's are not symentrical in speed so I want most traffic to go out the 250mbps pipe.

We have two 2921's with 1GB of both RAM and Flash, so I guess we could hold the internet routing table, but I was thinking default route only. I have not thought that much ahead as I still struggle with the design aspect of the implementation.

Community Member

Re: Network Design with BGP and Active/Passive ASA's

you can run HSRP on your gateway routers on the common subnet between the ASA outside interfaces and the gateway routers. The router with the high bandwidth connection would be configured to have the highest priority. You would also run preemption. OK so far.

On the same common subnet described above you would run an iBGP connection.

Now your eBGP connections.

Assuming both router took the full internet routing table, the gateway router would be chosen by the shortest AS Path. So clearly it would depend how well connected your chosen ISPs are.

I do still have a concern if you haven't got PI address space, as this will cause asymmetric routing, unless both ISPs advertise your /24 range. For example their upstream peerings may not support the advertisement of prefixes of this length.

Sent from Cisco Technical Support iPad App

Community Member

Re: Network Design with BGP and Active/Passive ASA's

So I don't need an additional layer of layer 3 switches in this design between the edge routers and Asa's? Both ISP's will be advertising my /24 subnet this has been approved.

Sent from Cisco Technical Support iPhone App

Community Member

Re: Network Design with BGP and Active/Passive ASA's

Ok I am another stopping wall here with this. I have managed to learn a lot and get this going in my test lab, but seem to run into problems and when I get that problem fixed, I hit another one...

The diagram posted is what I am working with now.

I have the firewalls successfully failing over with the layer 3 switches configured in HSRP. Originally I configured one of the HSRP members with a higher priority and a preempt, only to find out that when I got it back online and it took the active role, the firewalls do not have an automatic feature that fails themselves back over so both members are priority 100 and the Active HSRP member stays with the Active Firewall. Great!

Now I am running into my good friend spanning tree between the Layer 3 switches and the routers. The routers have Etherswitches in them that connected to the same vlan as all the ports on the switches, thus creating one collision domain, this what I need to do if I want the whole area between the ASA's and the Routers to share the subnet, but Spanning tree will is blocking the Active HSRP member from passing traffic to both routers, this is a problem since I need to be able to send traffic to each router cuncurently.

Can someone please tell me where to start on this one?


CreatePlease to create content