issue for BGP with md5 through pix 7.1

Unanswered Question
Feb 23rd, 2007

hello all,

i have a problem with ebgp with md5 through pix7.1.

as you know, to pass bgp with md5 traffic for the pix6.3, i should configure a special configuraiton. it's norandom sequence number at the static nat configuraiton.

static (i,o) 1.1.1.1 1.1.1.1 norandomseq

thus, in the pix 6.3, thre is no issue for ebpg with md5 through pix.

but, after upgrading pix from 6.3 to 7.1, the bgp with md5 not work properly.

please let me know, how can i pass the ebgp with md5 traffic on the pix 7.2 code?

regards,

john.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (3 ratings)
Loading.
sebastan_bach Fri, 02/23/2007 - 23:04

hi john the problem with pix 7.0 code is that . what actually happens is when authentication is set with bgp . there is hash of the payload send along with the tcp segment. this is called the option 19 in tcp.

pix by default removes any tcp options set with it.

to get this thing resolved i am sure u would have heard of something called a tcp map. in the tcp map set the parameter for setting the option 19.

it will resolve ur problem for sure.

i am not sure abt the commands but i have done it before.

hope this helps.

regards

sebastan

vitripat Sat, 02/24/2007 - 04:18

BGP uses TCP option 19, which is not permitted to pass through a PIX/ASA running 7.0 or higher. To permit traffic with these TCP options, the following tcp-map must be applied:

tcp-map BGP-MD5

tcp-options range 19 19 allow

class-map BGP-MD5-CLASSMAP

match port tcp eq 179

policy-map global_policy

class BGP-MD5-CLASSMAP

set connection advanced-options BGP-MD5

set connection random-sequence-number disable

Also note that randomization of TCP sequence numbers Must be disabled (you have already taken care of this using the "norandomseq" option in static command).

This used to be done at the end of the static command, but the preferred option in 7.x and above is to use MPF an apply it via the policy-map. In addition, the addresses cannot be NATed. This is because the MD5 hash takes into account the IP header as well as the TCP header, therefore none of it can be changed.

Hope this resolved the issue.

Regards,

Vibhor.

Actions

This Discussion